ASA5520 Inside interface routing to a public address outside no issue seen when doing a packet trace

njm · ‎01-06-2018

I have a router on the outside of the firewall where the public address resides to the internet. From the asa I have set the static route to this router and have set the associated rules to pass traffic from the inside host to the outside internet host. When checking the ASDM packet trace I see where the the icmp packet is allowed however cannot ping the internet address for the website that I am going to. My outside router I can ping the internet address and back to the inside host address.

In looking at the syslog I see the outbound connection made and on the next line teardown of the same connection.

What am I missing?

Marvin Rhoads · ‎01-06-2018

Do you have "inspect icmp" in your default class-map?

You also need to allow the return icmp echo replies (and unreachables etc.)

https://www.petenetlive.com/KB/Article/0000351

To go all the way and allow traceroute to work properly, please see this article:

http://www.packetu.com/2009/10/09/traceroute-through-the-asa/

njm · ‎01-06-2018

Thank You for your answer

Global policy is set for icmp and I can trace to any other network on the outside I cannot get to the internet website ip address from the inside host

Marvin Rhoads · ‎01-06-2018

If you can ping outside hosts but not Internet-based ones there is usually an inconsistency with an upstream device.

For instance, if your Internet-facing router or firewall does not have a route back to your source addresses or if it has a NAT rule that does not include your source addresses.