04-10-2017 07:51 AM - edited 03-12-2019 02:12 AM
Hi,
I'm setting up an ASA and i'm unable to ping from the Inside network to the internet it work fine from the ASA the error it would appear to be related the NAT any ideas ?
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any unreachable
access-list INBOUND extended permit icmp any any source-quench
access-group INBOUND in interface Outside
packet-tracer input outside icmp 8.8.8.8 0 0 192.168.1.10
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 Inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface Outside
access-list INBOUND extended permit icmp any any echo-reply
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Inside,Outside) source dynamic Inside interface
Additional Information:
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
04-10-2017 08:16 AM
Your packet-tracer logic is incorrect.
Ping return traffic (icmp echo reply) would not be coming in with a destination of the real IP address of an inside host since that host address' outbound icmp echo request would have been natted. that's why the packet-tracer indicates DROP due to rpf-check (reverse path forwarding).
First off make sure you are inspecting icmp in class-default. It is not on by default on an ASA. Then run packet-tracer again with the source input inside icmp 192.168.1.10 and destination 8.8.8.8.
Generally speaking, a stateful connection (something tcp-based) is a better test for connectivity through a stateful firewall like the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide