Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
3
Replies

ASA5520 Inside interface routing to a public address outside no issue seen when doing a packet trace

njm
Level 1
Level 1

‎01-06-2018 08:01 AM - edited ‎02-21-2020 07:05 AM

I have a router on the outside of the firewall where the public address resides to the internet. From the asa I have set the static route to this router and have set the associated rules to pass traffic from the inside host to the outside internet host. When checking the ASDM packet trace I see where the the icmp packet is allowed however cannot ping the internet address for the website that I am going to. My outside router I can ping the internet address and back to the inside host address.

In looking at the syslog I see the outbound connection made and on the next line teardown of the same connection.

What am I missing?

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2018 08:15 AM

Do you have "inspect icmp" in your default class-map?

 

You also need to allow the return icmp echo replies (and unreachables etc.)

 

https://www.petenetlive.com/KB/Article/0000351

 

To go all the way and allow traceroute to work properly, please see this article:

 

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

0 Helpful

njm
Level 1
Level 1
In response to Marvin Rhoads

‎01-06-2018 09:06 AM

Thank You for your answer



Global policy is set for icmp and I can trace to any other network on the outside I cannot get to the internet website ip address from the inside host




0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to njm

‎01-06-2018 05:48 PM

If you can ping outside hosts but not Internet-based ones there is usually an inconsistency with an upstream device.

 

For instance, if your Internet-facing router or firewall does not have a route back to your source addresses or if it has a NAT rule that does not include your source addresses.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card