cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1362
Views
10
Helpful
11
Replies

ASA can ping inside but not outside

samir khoury
Level 1
Level 1

Hello,

 

I was trying to con\figure VPN but that failed and I noticed I can't ping from inside ASA1 to inside ASA2

here is how it is setup. 

from 192.168.10.100 to 192.168.20.100

 

PC---ASA(NY)---ASA(LA)---PC

 

PC192.168.10.100 --192.168.10.1--ASA--192.168.1.100----192.168.1.200--ASA--192.168.20.1--192.168.20.100

I configure ACL to alow icmp from any to any but that didn't work

I did "ICMP enable outside/inside. but that didn't work

I did add ICMP to the policy map but that didn't work.

I did static route and OSPF same thing it didn't work.

here is a configuration of one of one the ASA.

 

ASA-NY# sh ro

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S 192.168.20.0 255.255.255.0 [1/0] via 192.168.1.200, outside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

 


interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0

 

access-list outside_access_in extended permit tcp any 192.168.10.0 255.255.255.0 object-group TCP_Service_Group
access-list outside_access_in extended permit tcp any object User_Access_Net object-group TCP_Service_Group
access-list outside_access_in extended permit tcp any object User_Access_Net object-group RDP
access-list global_access extended permit icmp any any object-group Ping_testing_group
access-list VPN extended permit ip object-group LOCAL-NETWORK object-group REMOTE-NETWORK

 

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.10.5 1
route outside 192.168.20.0 255.255.255.0 192.168.1.200 1

 


policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp

 

thank you.

11 Replies 11

Hi,
You don't have icmp enabled in your policy map, enter this:-

policy-map global_policy
class inspection_default
inspect icmp

If that doesn't work, please can you run packet-tracer and provide the results?

e.g. - packet-tracer input inside icmp 192.168.10.100 8 0 192.168.20.100

HTH

Hi,

 

I did what you asked and still the same issue. please see below from the packet tracer

ASA-NY# packet-tracer input inside icmp 192.168.10.100 8 0 192.168.20.100

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.20.0 255.255.255.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit icmp any any object-group Ping_testing_group
object-group icmp-type Ping_testing_group
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 38, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ASA-NY#

The packet-tracert output show the traffic should be allowed.

Could there be a local firewall turned on the PC's that is blocking the ping response?

Have you run packet-tracer on the other ASA? Is that is also allowed?

Hi,

I did the packet racer from the other ASA and it came back fine. then I checked the windows FW and you are right they were on, I could have sworn I turned them off.

so now I can ping from PC to PC,  however I can't ping the inside interface of ASA 192.168.20.1 from 192.168.10.100. do you know why?

 

thank you

 

 

Try configuring the management-access command, reference here.

 

"if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH,Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface".

 

HTH

Hi,

this is looking way better,

however I noticed that each client device is able to ping everything but its outside interface. I added acl to allow icmp from any any but that did not work.

any suggestions?

 

thanks

I guess the same logic applies as before, you are attempting to manage the outside interface originating from the inside interface. So perhaps try and apply management-access outside?

HTH

Hi,

I had the feeling that you will say that but I waited for you to suggest, unfortunately that didn't help and it seems to get worse, now I am not able to ping the outside interface or the inside interface of the other FW.

 

thank you

Ok. Can you upload the config of both ASA's and I'll have a look at what you've already configured

 hi,

 

please see attached, just an FYI this is my personal lab/training.

 

thanks for your help.

You've only got an ACL on ASA NY, so it that the ASA you cannot ping? If you ping the ASA LA (that doesn't have an ACL) does that work?

Can you run a packet-trace on each of the firewall to see what the output is of pinging the outside interface?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: