asa 5506 Cant Ping INSIDE host using NAT from OUTSIDE subnet

rzahrb · ‎07-31-2018

Hi,

I have a 5506 with NAT enabled on its INSIDE interface. The OUTSIDE interface of the firewall is connected to LAN (having multiple subnets). I have created acl and icmp inspection also. However, i am unable to ping from a subnet on the OUTSIDE to the Natted IP on the INSIDE.

When I do a packet-trace on the OUTSIDE using icmp to INSIDE, the flow is created but when i use the packet-tracer on the INSIDE for the same source and destination, the acl drops it. I have tried to google and search online a lot, but doesnt seem to conclude where the problem is.

Here is the packet tracer that is creating the flow for OUTSIDE interface :

# packet-tracer input outside icmp 10.2.20.101 8 0 10.220.138.8 det (Flow created)

And Here is my packet tracer that is failing on acl drop at Phase-2 for INSIDE interface :

# packet-tracer input inside icmp 10.2.20.101 8 0 10.220.138.8 det (Fails here, acl_drop)

10.2.20.101 ( 255.255.255.128 ) is a host on outside

10.220.138.8 is Nat'ed Ip that I have for inside host 172.16.2.8

So, how can I actually look at whats wrong ? through debugging ? Because packet-tracer and capture doesn't seem to resolve the issue that I am looking for.

Thanks,

Rob Ingram · ‎07-31-2018

Hi,
If 10.2.20.101 is an ip address on the OUTSIDE of the ASA, then you cannot use that as a source from the INSIDE interface for the packet trace. So I'd expect your 2nd example to fail, as it has.

I assume the device you are actually attempting to ping (172.16.2.8) responds to ping? and it's default gateway is the ASA? Try turning on "debug icmp trace" temporarily, then ping the device and observe the output. You may need to turn on logging.

HTH

rzahrb · ‎07-31-2018

Ok, so packet trace makes sense now.

No, 172.16.2.8 doesnt respond to ping and its default GW is not the FW.

I am not sure what will be that GW ? Should it be the INSIDE int address ? 10.127.0.10 ?

The INSIDE host 172.16.2.8 has 03 different IP addresses and none of it belong to the INSIDE ip network as u can see in the config file.

Rob Ingram · ‎07-31-2018

Ok, doesn't need to be the GW but the return traffic does need to be via the ASA, just need to determine if traffic to/from that host goes via the ASA. So whatever is your default gateway needs to route traffic via the ASA.

When you say 172.16.2.8 doesn't respond to ping, is that from inside the network? I am just try to rule out a local FW on that device, that could be blocking ping. Ping from the ASA itself

rzahrb · ‎07-31-2018

Ok, I will share the PING response from ASA to desired host and vice versa. Thanks for the help, appreciate it. I will have access to that FW again tomorrow,

Rza

rzahrb · ‎07-31-2018

Hi RJI,

I think this is the culprit, thank you for pointing in the right direction.

I can not ping the INSIDE host 172.16.2.8 from the ASA itself and ofcourse vice versa. I am now thinking it has to do something with my virtual architecture, because the INSIDE is basically connected to a 3560 which connects my different INSIDE networks as well as the Virtual networks.

The INSIDE networks are :

172.16.2.0 ( 255.255.255.0 ) - this is the vm network

10.0.0.0 ( 255.255.255.0 )

192.168.2.0 ( 255.255.255.0 )

The inside routes are as below :

route inside 172.16.0.0 255.255.0.0 10.127.0.1 2 track 14
route inside 10.127.0.0 255.255.255.0 10.127.0.1 2 track 14
route inside 192.168.0.0 255.255.0.0 10.127.0.1 2 track 14
route inside 10.0.0.0 255.255.255.0 10.127.0.1 2 track 14

Rza