11-12-2018 07:25 AM - edited 11-12-2018 07:28 AM
Hi,
We are having issues pinging the gateway after an outage happened. We are unable to ping out from the cisco. Please see below for config
ciscoasa(config)# show running-config : Saved : : Serial Number: FCH18457D65 : Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores) : ASA Version 9.8(3)8 ! hostname ciscoasa enable names no mac-address auto ! interface GigabitEthernet0/0 description to WAN nameif outside security-level 0 ip address 216.164.164.218 255.255.255.248 ! interface GigabitEthernet0/1 description to LAN nameif CORPNET52 security-level 100 ip address 10.130.52.1 255.255.252.0 ! interface GigabitEthernet0/1.13 description to VPN no vlan no nameif security-level 100 ip address 10.130.13.1 255.255.255.0 ! interface GigabitEthernet0/1.62 description to GUEST no vlan no nameif security-level 20 ip address 10.130.62.1 255.255.255.0 ! interface GigabitEthernet0/2 description to VOICE shutdown nameif VOICE42 security-level 100 ip address 10.130.42.1 255.255.255.0 ! interface GigabitEthernet0/3 description to MGMT shutdown nameif MGMT10 security-level 100 ip address 10.130.10.1 255.255.255.0 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa983-8-smp-k8.bin ftp mode passive object network 10.130.52.0_22 subnet 10.130.52.0 255.255.252.0 object network 10.120.52.0_22 subnet 10.120.52.0 255.255.252.0 access-list 100 extended permit ip object 10.130.52.0_22 object 10.120.52.0_22 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu CORPNET52 1500 mtu VOICE42 1500 mtu MGMT10 1500 mtu management 1500 no failover no monitor-interface outside no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp permit any echo outside asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 nat (CORPNET52,outside) source static 10.130.52.0_22 10.130.52.0_22 destination static 10.120.52.0_22 10.120.52.0_22 no-proxy-arp route-lookup ! nat (CORPNET52,outside) after-auto source dynamic any interface route outside 0.0.0.0 0.0.0.0 216.164.164.217 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 management http 10.130.0.0 255.255.255.0 CORPNET52 no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map outside_map 20 match address 100 crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 128.177.20.34 crypto map outside_map 20 set ikev1 transform-set myset crypto map outside_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 telnet timeout 5 ssh scopy enable ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 0 dhcpd dns 8.8.8.8 4.2.2.2 ! dhcpd address 10.130.52.5-10.130.52.254 CORPNET52 dhcpd enable CORPNET52 ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username username service-type admin tunnel-group 128.177.20.34 type ipsec-l2l tunnel-group 128.177.20.34 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:d214ef7e0a9797c8904b211b378fc5a6 : end
11-12-2018 07:37 AM
Is the issue related only to PING or you cannot surf in Internet at all?
Can you ping Internet from the firewall console?
What is your IP? And what is the PING destination?
Regards.
11-12-2018 07:39 AM
unable to ping the internet from the firewall console.
11-12-2018 07:50 AM
So, if the issue is only related to icmp, can you try to configure an acl to permit icmp from outside to inside?
Something like this:
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
and apply the acl using the command:
access-group outside_access_in in interface outside
Let me know the result.
Regards.
11-12-2018 09:12 AM
still unable to ping out of the cisco. can't even hit our ISP gateway. we are unable to route out.
11-12-2018 09:32 AM
To be honest I don't understand if the issue is related to all IP traffic or only to PING (icmp).
Is the outside interface up?
show int g0/0
Is the ARP table consistent?
show arp
What is connected to outside?
Can be the ISP CPE stuck?
Regards.
11-12-2018 01:18 PM
Interface is up
what do you mean by is the arp table consistent? what will i be looking for?
what is ISP CPE?
11-13-2018 07:59 AM
Please, from the firewall console test a ping to the default gateway and after that execute the 'show arp' command.
Post the output.
Regards.
11-17-2018 09:34 AM
Try to ping WAN interface ip : # Ping 216.164.164.218
Try to ping LAN interface ip : # 10.130.52.1
Try to ping Voice interface ip : # 10.130.42.1
And ping Mgmt interface ip : # 10.130.10.1
Thanks,
Praveen.N
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide