Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
1
Replies

ASA unable ping from inside to the internet

Keith Clayton
Level 1
Level 1

‎04-10-2017 07:51 AM - edited ‎03-12-2019 02:12 AM

Hi,

 

I'm setting up an ASA and i'm unable to ping from the Inside network to the internet it work fine from the ASA the error it would appear to be related the NAT  any ideas ?

 

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

access-list INBOUND extended permit icmp any any unreachable

access-list INBOUND extended permit icmp any any source-quench

access-group INBOUND in interface Outside

 

 

packet-tracer input outside icmp 8.8.8.8 0 0 192.168.1.10

 

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   Inside

 

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INBOUND in interface Outside

access-list INBOUND extended permit icmp any any echo-reply

Additional Information:

 

 

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

 

Phase: 4     

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 

 

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 

 

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

 

 

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP 

Config:

nat (Inside,Outside) source dynamic Inside interface

Additional Information:

 

 

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-10-2017 08:16 AM

Your packet-tracer logic is incorrect.

Ping return traffic (icmp echo reply) would not be coming in with a destination of the real IP address of an inside host since that host address' outbound icmp echo request would have been natted. that's why the packet-tracer indicates DROP due to rpf-check (reverse path forwarding).

First off make sure you are inspecting icmp in class-default. It is not on by default on an ASA. Then run packet-tracer again with the source input inside icmp 192.168.1.10 and destination 8.8.8.8.

Generally speaking, a stateful connection (something tcp-based) is a better test for connectivity through a stateful firewall like the ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card