Solved: Re: ASA5550: inside host can't ping internet

renenkel · ‎01-27-2024

I'm trying to put an ASA5550 between my ISP's modem and my internal network (just my laptop, to start with). From the ASA console, I can ping out to the internet (e.g. 8.8.8.8), but not from the laptop. My laptop can't even ping the ISP gateway, though it can ping the ASA port it's connected to. Can anyone please tell me what I've done wrong?

My ISP gateway is 10.0.0.1 and is connected to interface g1/0 (outside) on the ASA. My laptop is connected to g0/0 (inside) and is getting address 10.99.0.100 from DHCP on the ASA.

ciscoasa# show interface g0/0
Interface GigabitEthernet0/0 "inside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: LAN interface
        MAC address 001b.d454.f12a, MTU 1500
        IP address 10.99.0.1, subnet mask 255.255.255.0
...
ciscoasa# show interface g1/0
Interface GigabitEthernet1/0 "outside", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Media-type configured as RJ45 connector
        Description: WAN interface
        MAC address 6400.f182.579e, MTU 1500
        IP address 10.0.0.254, subnet mask 255.255.255.0
...
ciscoasa# show route
...
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

C    10.0.0.0 255.255.255.0 is directly connected, outside
C    10.99.0.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside

ciscoasa# show run dhcpd
dhcpd address 10.99.0.100-10.99.0.200 inside
dhcpd enable inside

ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

Kasun Bandara · ‎01-27-2024

@renenkel hi you need to configure route in your ISP router to tell about your internal network or use NAT in ASA to translate traffic towards internet.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

Marius Gunnerud · ‎01-28-2024

How are you testing from your PC? Are you just using ping or are you also trying to browse to webpages (assuming you have DNS configured)?

Verify that you have ICMP inspection configured with show run policy-map to allow ping packets throught the ASA. If it is not configured add it.

policy-map global_policy
class inspection_default
inspect icmp

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

renenkel · ‎01-28-2024

Thanks so much to everyone who helped!
So, to summarize, I had to do two things:
- configure NAT to translate inside addresses to the internet ( @Kasun Bandara )
- inspect ICMP to allow pings through the ASA ( @Marius Gunnerud , @MHM Cisco World )

View solution in original post

Kasun Bandara · ‎01-27-2024

@renenkel hi you need to configure route in your ISP router to tell about your internal network or use NAT in ASA to translate traffic towards internet.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

renenkel · ‎01-27-2024

Thanks Kasun -- I tried this but it still doesn't work... @Kasun Bandara

ciscoasa(config)#  object network inside-subnet
ciscoasa(config-network-object)# subnet 10.99.0.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
ciscoasa(config-network-object)# exit
ciscoasa(config)# exit
ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside-subnet interface
    translate_hits = 10, untranslate_hits = 22

Kasun Bandara · ‎01-27-2024

@renenkel can you share the out put for 'sh run nat'

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

renenkel · ‎01-27-2024

ciscoasa# sh run nat
!
object network inside-subnet
 nat (inside,outside) dynamic interface
ciscoasa#

@Kasun Bandara

Kasun Bandara · ‎01-27-2024

@renenkel can you share the output of 'asa(config)# sh xlate type dynamic' while trying to access internet? also do you have ASDM?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

renenkel · ‎01-28-2024

@Kasun BandaraI haven't been able to get ASDM working -- app from ASA seems incompatible with Windows 10, even in compatibility mode. Below is output of sh xlate type dynamic while pinging 8.8.8.8 from internal host.

ciscoasa(config)# sh xlate type dynamic
13 in use, 15 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
ICMP PAT from inside:10.99.0.100/40989 to outside:10.0.0.254/40989 flags ri idle                                       0:00:03 timeout 0:00:30
UDP PAT from inside:10.99.0.100/55960 to outside:10.0.0.254/55960 flags ri idle                                       0:01:23 timeout 0:00:30
UDP PAT from inside:10.99.0.100/50993 to outside:10.0.0.254/50993 flags ri idle                                       0:01:24 timeout 0:00:30
UDP PAT from inside:10.99.0.100/52990 to outside:10.0.0.254/52990 flags ri idle                                       0:01:25 timeout 0:00:30
UDP PAT from inside:10.99.0.100/62721 to outside:10.0.0.254/62721 flags ri idle                                       0:01:34 timeout 0:00:30
UDP PAT from inside:10.99.0.100/59119 to outside:10.0.0.254/59119 flags ri idle                                       0:01:34 timeout 0:00:30
UDP PAT from inside:10.99.0.100/59398 to outside:10.0.0.254/59398 flags ri idle                                       0:01:39 timeout 0:00:30
UDP PAT from inside:10.99.0.100/57913 to outside:10.0.0.254/57913 flags ri idle                                       0:01:52 timeout 0:00:30
UDP PAT from inside:10.99.0.100/58919 to outside:10.0.0.254/58919 flags ri idle                                       0:01:52 timeout 0:00:30
UDP PAT from inside:10.99.0.100/57181 to outside:10.0.0.254/57181 flags ri idle                                       0:01:53 timeout 0:00:30
UDP PAT from inside:10.99.0.100/64723 to outside:10.0.0.254/64723 flags ri idle                                       0:00:00 timeout 0:00:30
UDP PAT from inside:10.99.0.100/52382 to outside:10.0.0.254/52382 flags ri idle                                       0:00:00 timeout 0:00:30
UDP PAT from inside:10.99.0.100/63117 to outside:10.0.0.254/63117 flags ri idle                                       0:00:05 timeout 0:00:30

MHM Cisco World · ‎01-28-2024

Did you add icmp inspection?

You need icmp inspection for any icmp passthrough asa

MHM

balaji.bandi · ‎01-27-2024

What ASA Code running on this ASA ? - show version (give you information)

Configuration commands for older version of ASA Code

ASA5(config)#
global (outside) 1 interface
nat (inside) 1 10.99.0.0 255.255.255.0

Configuration commands for version 8.3 or Newer

ASA5(config)#
object network OBJ_NAT_LAN
subnet 10.99.0.0 255.255.255.0
nat (inside,outside) dynamic interface

On the PC - can you post ipconfig /all

Still you have an issue - post show run (full removing password information)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

renenkel · ‎01-28-2024

@balaji.bandi

ciscoasa> show version
Cisco Adaptive Security Appliance Software Version 9.1(6)
Device Manager Version 7.9(2)152

The commands I used are like what you give for version 8.3 or newer:

ciscoasa(config)#  object network inside-subnet
ciscoasa(config-network-object)# subnet 10.99.0.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Here is output of ipconfig /all from PC:

C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Thinkstation
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
   Physical Address. . . . . . . . . : 70-F3-95-02-0D-99
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 70-F3-95-02-0D-98
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c59e:1f34:3b87:3d5f%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.99.0.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : January-28-24 4:46:36 PM
   Lease Expires . . . . . . . . . . : January-28-24 5:49:51 PM
   Default Gateway . . . . . . . . . : 10.99.0.1
   DHCP Server . . . . . . . . . . . : 10.99.0.1
   DHCPv6 IAID . . . . . . . . . . . : 242283413
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-CB-85-84-70-F3-95-02-0D-98
   DNS Servers . . . . . . . . . . . : 2620:10a:80bb::20
                                       2620:10a:80bc::20
                                       149.112.121.20
                                       149.112.122.20
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-NordVPN Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-A3-53-D7-9C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Here is output of show run from ASA:

ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1131L1X0
: Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
:
ASA Version 9.1(6)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description LAN interface
 nameif inside
 security-level 100
 ip address 10.99.0.1 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 description WAN interface
 nameif outside
 security-level 0
 ip address 10.0.0.254 255.255.255.0
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network inside-subnet
 subnet 10.99.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-subnet
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.99.0.0 255.255.255.0 inside
telnet timeout 2
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.99.0.100-10.99.0.200 inside
dhcpd enable inside
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Marius Gunnerud · ‎01-28-2024

How are you testing from your PC? Are you just using ping or are you also trying to browse to webpages (assuming you have DNS configured)?

Verify that you have ICMP inspection configured with show run policy-map to allow ping packets throught the ASA. If it is not configured add it.

policy-map global_policy
class inspection_default
inspect icmp

--
Please remember to select a correct answer and rate helpful posts

renenkel · ‎01-28-2024

@Marius GunnerudSo far I only tried pinging 8.8.8.8 from the PC, which hasn't worked. Here's the output of show run policy-map:

ciscoasa(config)# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
ciscoasa(config)#

Oh, wait a minute....ICMP isn't there. Adding it....

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp

Yay!!! Now it works!

C:\WINDOWS\system32>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=19ms TTL=117
Reply from 8.8.8.8: bytes=32 time=12ms TTL=117
Reply from 8.8.8.8: bytes=32 time=14ms TTL=117

Thanks Marius!!!

Marius Gunnerud · ‎01-28-2024

for ping to work through the firewall, you need to add inspect icmp to the class inspection_default under policy-map global-policy.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎01-28-2024

Nice! Glad we could help.

--
Please remember to select a correct answer and rate helpful posts

renenkel · ‎01-28-2024

Thanks so much to everyone who helped!
So, to summarize, I had to do two things:
- configure NAT to translate inside addresses to the internet ( @Kasun Bandara )
- inspect ICMP to allow pings through the ASA ( @Marius Gunnerud , @MHM Cisco World )