09-21-2009 12:31 PM - edited 02-21-2020 03:41 AM
Background: We are in the process of migrating to a new high speed internet connection. I have attached an ASA to the new connection as follows:
ISP <==> Outside3750 <==> ASA
I have been over this a hundred times, but I cannot figure out why I cannot pass traffic to the outside. Here is the config from the ASA:
ASA# sh run int gig0/0
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address aaa.bbb.ccc.10 255.255.255.248
ASA# sh int gig0/0 stats
Interface GigabitEthernet0/0 "OUTSIDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address <privateMAC>, MTU 1500
IP address aaa.bbb.ccc.10, subnet mask 255.255.255.248
8252 packets input, 639464 bytes, 0 no buffer
Received 5173 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
26210 packets output, 1702124 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/11) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Traffic Statistics for "OUTSIDE":
8257 packets input, 490436 bytes
26210 packets output, 774728 bytes
2465 packets dropped
1 minute input rate 0 pkts/sec, 4 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 5 bytes/sec
5 minute output rate 0 pkts/sec, 1 bytes/sec
5 minute drop rate, 0 pkts/sec
route OUTSIDE 0.0.0.0 0.0.0.0 aaa.bbb.ccc.9
ASA# sh route:
S* 0.0.0.0 0.0.0.0 [1/0] via aaa.bbb.ccc.9, OUTSIDE
C aaa.bbb.ccc.8 255.255.255.248 is directly connected, OUTSIDE
From the Outside3750, I can see both the ISP and the ASA at layer 2:
Outside3750# sh mac address-table dynamic vlan 413
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
111 <ISP MAC> DYNAMIC Gi1/0/14
111 <privateMAC> DYNAMIC Gi1/0/13
I have gone so far as to remove any ACL on the Outside interface, but still cannot pass traffic out. I can ping the ISP from the Outside3750, but I cannot ping the ASA Outside interface from the Outside3750.
Experts, your insight and expertise would be greatly appreciated. Thank you.
Patrick
09-21-2009 12:34 PM
What does your NAT/Globals look like? Please check the log too.
09-21-2009 01:31 PM
Thanks for the reply Collin. Would the NAT policy affect an ICMP reply from the ASA itself? This same exact config seems to work on another ASA. Here is the config:
nat (INSIDE) 0 access-list NAT-LIST
global (OUTSIDE) 0 interface
access-list NAT-LIST extended permit ip 192.168.0.0 255.255.128.0 any
access-list NAT-LIST extended permit ip 192.168.130.0 255.255.255.0 any
access-list NAT-LIST extended permit ip 192.168.140.0 255.255.255.0 any
access-list NAT-LIST extended permit ip 192.168.151.0 255.255.255.0 any
Here is an excerpt from the log after I removed the ACL:
5|Sep 21 2009 13:55:42|111008: User 'enable_15' executed the 'no access-group OUTSIDE_ACL in interface OUTSIDE' command.
5|Sep 21 2009 13:55:46|111005: 192.168.21.240 end configuration: OK
6|Sep 21 2009 13:55:51|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388
3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE
Thanks, Patrick
09-21-2009 01:34 PM
I've found when you ping from the ASA itself, you need to add an ACE to the outside access list permitting echo-reply's. You have NAT 0 above which means do NOT NAT and there is no config for NATing your internal clients.
09-21-2009 01:42 PM
You will need something like-
global (outside) 1 12.aa.bb.ccc
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 1 192.168.53.0 255.255.255.0
nat (inside) 1 192.168.54.0 255.255.255.0
nat (inside) 1 192.168.55.0 255.255.255.0
09-21-2009 02:16 PM
Collin - sorry, there was a typo:
nat (INSIDE) 1 access-list NAT-LIST
global (OUTSIDE) 1 interface
09-22-2009 05:48 AM
3|Sep 21 2009 13:55:51|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE shows that the OUTSIDE ACL is blocking ICMP. Add something like this-
access-list outside_access extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10
09-22-2009 06:59 AM
Collin - here is the latest output from the log. First, I added the ACE:
5|Sep 22 2009 08:41:05|111008: User 'enable_15' executed the 'access-list OUTSIDE_ACL line 1 extended permit icmp host 4.2.2.2 host aaa.bbb.ccc.10' command.
Next, I tried to ping from the ASA:
6|Sep 22 2009 08:41:21|302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388
3|Sep 22 2009 08:41:21|313001: Denied ICMP type=0, code=0 from 4.2.2.2 on interface OUTSIDE
6|Sep 22 2009 08:41:21|302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr aaa.bbb.ccc.10/4388 laddr aaa.bbb.ccc.10/4388
I have also added a host on the inside interface, confirmed my NAT,and I am getting similar results from there:
6|Sep 22 2009 08:32:27|305011: Built dynamic ICMP translation from INSIDE:10.90.90.100/512 to OUTSIDE(NAT-LIST):aaa.bbb.ccc.10/1
6|Sep 22 2009 08:32:27|302020: Built outbound ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512
6|Sep 22 2009 08:32:29|302021: Teardown ICMP connection for faddr 4.2.2.1/0 gaddr aaa.bbb.ccc.10/1 laddr 10.90.90.100/512
09-22-2009 07:30 AM
Do you also have icmp permits? Here's a great doc on the ASA and ICMP.
09-22-2009 09:34 AM
Collin - issue resolved. The issue was that icmp inspect was not turned on in AIP. Thanks for the assist.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide