Also,

You could add these incase you are testing connectivity with ICMP

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

The first will automatically allow ICMP Echo Reply messages through the firewall (for the ICMP Echos that are allowed through the firewall). The second is related to the ICMP error messages that the routers in between the source and destination send to the source host.

- Jouni

Jouni: Thank you for the prompt reply. I added the nat command, but it still doesn't seem to be permitting traffic:

I couldn't get it to accept the icmp commands though. Is there anything else I am missing or further info I can provide to restore internet access?

Thank you, please advise.

-Rob

: Saved

:

ASA Version 9.1(3)

!

hostname ciscoasa

enable password encrypted

names

!

interface Ethernet0/0

description WAN Interface

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

description LAN Interface

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network net-192.168.0

subnet 192.168.0.0 255.255.255.0

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network net-192.168.0

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

client-update enable

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username admin password KvX48a46hrlNTwvf encrypted privilege 15

username robr password nJixs.T/EUAomNvd encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:cf6e60e0ca64eed6649ed7aeebec6ad2

: end

Also, in the event it is helpful:

Result of the command: "sh int"

Interface Ethernet0/0 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Input flow control is unsupported, output flow control is off

Description: WAN Interface

MAC address 0024.14d3.7834, MTU 1500

IP address 71.81.78.70, subnet mask 255.255.240.0

35147 packets input, 9823986 bytes, 0 no buffer

Received 6414 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

27861 packets output, 6326028 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

26 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/230)

output queue (blocks free curr/low): hardware (255/230)

  Traffic Statistics for "outside":

35121 packets input, 9136277 bytes

27861 packets output, 5752203 bytes

733 packets dropped

      1 minute input rate 56 pkts/sec,  14169 bytes/sec

      1 minute output rate 41 pkts/sec,  7360 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 53 pkts/sec,  13673 bytes/sec

      5 minute output rate 42 pkts/sec,  7244 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Ethernet0/1 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

Input flow control is unsupported, output flow control is off

Description: LAN Interface

MAC address 0024.14d3.7835, MTU 1500

IP address 192.168.0.254, subnet mask 255.255.255.0

28743 packets input, 6432315 bytes, 0 no buffer

Received 524 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

31714 packets output, 9552084 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/243)

output queue (blocks free curr/low): hardware (255/250)

  Traffic Statistics for "inside":

28738 packets input, 5839886 bytes

31714 packets output, 8905239 bytes

507 packets dropped

      1 minute input rate 42 pkts/sec,  7490 bytes/sec

      1 minute output rate 49 pkts/sec,  13751 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 44 pkts/sec,  7370 bytes/sec

      5 minute output rate 49 pkts/sec,  13366 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Ethernet0/2 "", is administratively down, line protocol is down

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Input flow control is unsupported, output flow control is off

Available but not configured via nameif

MAC address 0024.14d3.7836, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/255)

output queue (blocks free curr/low): hardware (255/255)

Interface Ethernet0/3 "", is administratively down, line protocol is down

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Input flow control is unsupported, output flow control is off

Available but not configured via nameif

MAC address 0024.14d3.7837, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/255)

output queue (blocks free curr/low): hardware (255/255)

Interface Management0/0 "management", is up, line protocol is up

  Hardware is i82557, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Description: Management

MAC address 0024.14d3.7838, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.0

6953 packets input, 532769 bytes, 0 no buffer

Received 525 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

6203 packets output, 1409513 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (0/1) software (0/12)

output queue (curr/max packets): hardware (0/24) software (0/1)

  Traffic Statistics for "management":

6950 packets input, 431962 bytes

6203 packets output, 1319431 bytes

961 packets dropped

      1 minute input rate 3 pkts/sec,  213 bytes/sec

      1 minute output rate 0 pkts/sec,  225 bytes/sec

      1 minute drop rate, 2 pkts/sec

      5 minute input rate 14 pkts/sec,  865 bytes/sec

      5 minute output rate 14 pkts/sec,  3429 bytes/sec

      5 minute drop rate, 0 pkts/sec

Management-only interface. Blocked 660 through-the-device packets

Please disregard. I have since resolved the main issue, however I would like to better understand how to implement the ICMP commands you referenced.

Thanks again,

-Rob