Solved: Access (or Ping) from Inside host to Outside host

Tang-Suan Tan · ‎10-25-2011

Hi all :

Attach is my ASA5505 config file.

I am trying to ping from my inside host (192.168.1.110) to outside host (192.168.2.5) but could not make it. In fact, the inside is with high security (100) and outside low security (0) and this shoud be no problem but still couldn't make it.

I have setup the static route from inside to outside. I also setup the access rule and apply the rule at the outside interface for any host from outside interface 192.168.2.0/24 to access the inside host 192.168.1.110/24.

I try also to disable the NAT rule by using several NAT command.

Can anybody help? Thanks!

varrao · ‎10-25-2011

You can add icmp inspection as well, if not ACL, like this:

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

You'll also find, very good explanation by Mike on this post:

https://supportforums.cisco.com/thread/2112005?tstart=0

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

cadet alain · ‎10-26-2011

Hi,

for trafic originating from a low security level to a high security level you have to configure an ACL permiting this traffic and apply it inbound on the low security level interface.

access-list ICMP_OUT_IN extended permit icmp any any

access-group ICMP_OUT_IN in interface outside

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

varrao · ‎10-25-2011

Hi Tang-Suan,

You just need to allow return traffic on the ASA, for that you can add this acl:

access-list outside_access_in extended permit icmp any any

and it shoudl work after that.

Thanks,
Varun Rao

varrao · ‎10-25-2011

You can add icmp inspection as well, if not ACL, like this:

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

You'll also find, very good explanation by Mike on this post:

https://supportforums.cisco.com/thread/2112005?tstart=0

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Tang-Suan Tan · ‎10-26-2011

Hi Varun :

I have added in

access-list outside_access_in extended permit icmp any any

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

but it still not work.

Attach please see the latest config file.

Can you look at the NAT command and Static Route command? Are they correct?

Beside that anything that you can advise? Thanks!

Tang-Suan Tan · ‎10-26-2011

Hi Varun :

Sorry that the inside now can ping to outside and the reason is due to the wireless network gateway take over the firewall gateway since my wireless network also in 192.168.1.x/24.

After i disable the wireless, it works.

This problem is found after i used the tracert and noticed that it goes to the wireless gateway 192.168.1.254 instead of 192.168.1.1 of ASA5505 interface.

Thanks for your advise for the few command also to make it work.

The problem now is i cannot ping from outside host 192.168.2.5 to inside host 192.168.1.110. Can you help?

The config file is the same as running-config2. Thanks!

cadet alain · ‎10-26-2011

Hi,

for trafic originating from a low security level to a high security level you have to configure an ACL permiting this traffic and apply it inbound on the low security level interface.

access-list ICMP_OUT_IN extended permit icmp any any

access-group ICMP_OUT_IN in interface outside

Regards.

Alain.

Don't forget to rate helpful posts.

Tang-Suan Tan · ‎10-28-2011

Thanks Varun and Cadet :

Your answers are correct and my problem is solved. The problem of outside host ping to inside host is due to my inside host firewall, after disable it, it is ok now.

For new problem, I will open new discussion.

Many thanks!