Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1612
Views
0
Helpful
2
Replies

ASA 5520: Not able to ping outside n/w from inside interface

ameyahanamsagar
Beginner
Beginner

‎07-20-2014 03:19 AM - edited ‎03-11-2019 09:30 PM

Hello,

I am new to ASA. I have set up a lab in GNS3.

I cannot ping the outside interface from inside or vice versa. I have tried adding ACL's, inspect icmp and everything that I found while searching for the solution.

My Current running config is:

ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network nonat
access-list outside_access_out extended permit tcp any eq echo any eq echo
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
access-list inside_access_out extended permit tcp any eq echo any eq echo
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq echo
access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
!
router ospf 1
 network 10.0.0.0 255.0.0.0 area 0
 network 172.16.0.0 255.255.255.0 area 0
 log-adj-changes
!
route inside 192.168.1.0 255.255.255.0 172.16.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.1 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ameya password xxxxxxxxxxxxxxx encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:69a533dbabc0f5a84aaeee0c2054746a
: end
ciscoasa(config)#

 

Pings even dont work when I ping from outside interface to inside interface and vice versa.

ciscoasa# ping inside 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping outside 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#

1 person had this problem
Labels:
0 Helpful
2 Replies 2

rvarelac
Rising star
Rising star

‎07-21-2014 11:07 AM

Hi ameyahanamsagar

 

Ping from your inside interface to the outside interface  is not allowed on the ASA.

 

Try to create a virtual machine  and do the test or create a LAN environment, I'm pretty sure ping should work fine as long as the ASA keeps reachable .

 

I would add to the configuration:

ICMP permit any echo-reply in

ICMP permit any echo-reply out 

 

Hope this help ! 

 

- Randy -

0 Helpful

turbo_engine26
Enthusiast
Enthusiast

‎07-28-2014 09:50 PM

Hi,

You are using too much ACLs in your configuration. Keep in mind that, by default, traffic from higher security interface (inside) is allowed to lower security interface (outside) without the need for any ACL. The only ACL you need is for traffic comes from outside to inside in the inbound interface direction. The "out" keyword is rarely used and should be avoided as it is only used for specific scenarios. Also, remove the current NAT configs and just create a simple dynamic PAT using Auto-NAT for the inside subnet. Twice NAT is a bit complex and used for specific situations.

I suggest to use the following configs:

access-list Outside_IN extended permit icmp any any echo (Not recommended in production)

access-list Outside_IN extended permit icmp any any echo-reply

access-group Outside-IN in interface outside

!

object network Inside_Subnet

subnet 172.16.0.0 255.255.255.0

nat (inside,outside) dynamic interface

 

I also suggest to ping live machines rather than ASA's own interfaces.

 

AM

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents