Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
2
Replies

ASA can not ping outside behind router. Help!

Go to solution
klncy2014
Level 1
Level 1

‎06-10-2013 09:28 AM - edited ‎03-11-2019 06:55 PM

Hello guys,

   I have simple setup lab in a GNS3.  I having a problem pinging from the ASA to the outside world.  If I'm in the rotuer, I can ping fine(ping 4.2.2.2), I'm getting reply back. But no luck on the ASA itself.  For now I just wanted to get the ASA to ping outside the cloud. Then later I play around with the host pc. I really  appreciated if someone can help me out. Thanks all! 

Here are my configs on ASA n Router.

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 172.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network inside_mapped

subnet 172.168.1.0 255.255.255.0

object network internal_lan

subnet 172.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:10910835b2de0a54ad502ba3e5c1f9dd

: end

ciscoasa#

Cisco 2600:

interface FastEthernet0/0

description To Internet

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description inside edge router

ip address 10.10.10.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 192.168.137.1

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 172.168.0.0 0.0.255.255

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

Labels:
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-10-2013 09:37 AM

Hi,

You havent configured any NAT on the router for the 10.10.10.0/24 network.

When you directly ICMP from the ASA then it will naturally first do a route lookup and see that the destination IP address is behind "outside" therefore it will use the "outside" interface IP address as the source IP address for the ICMP Echo message.

You will need to add an ACL line to the NAT configuration on the router

access-list 1 permit 10.10.10.0 0.0.0.255

This should add the network to the Dynamic PAT configuration on the router to my understanding

Remember to mark the reply as the correct answer if it answered your question.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-10-2013 09:37 AM

Hi,

You havent configured any NAT on the router for the 10.10.10.0/24 network.

When you directly ICMP from the ASA then it will naturally first do a route lookup and see that the destination IP address is behind "outside" therefore it will use the "outside" interface IP address as the source IP address for the ICMP Echo message.

You will need to add an ACL line to the NAT configuration on the router

access-list 1 permit 10.10.10.0 0.0.0.255

This should add the network to the Dynamic PAT configuration on the router to my understanding

Remember to mark the reply as the correct answer if it answered your question.

- Jouni

0 Helpful

Go to solution
klncy2014
Level 1
Level 1
In response to Jouni Forss

‎06-10-2013 09:50 AM

Once again you helped me out!!  Perfect thank you!  I can ping to the cloud now.

Now, I want to setup the host to allow to ping outisde

Do I need to setup NAT on the ASA or the router, in order for the host to ping out?

thx

ken

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card