cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
4
Replies

Can't Ping FROM ASA Unit to Inet

Danny Steier
Level 1
Level 1

Hello,

I have an interesting issue I can't figure out. My setup is simple; <inside network (192.168.1.x)> -------> ASA---------> Inet.

Clients on the 192.168.1.x subnet can ping 4.2.2.2 and get icmp replies with no problem. However, if I try to do an extended ping from the ASA unit itself I get nothing. What am I missing? Thanks

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 173.163.x.x

!

interface Vlan3

no forward interface Vlan1

nameif public

security-level 10

ip address 192.168.5.1 255.255.255.0

!            

interface Vlan50

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 50

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

boot system disk0:/asdm-631.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

domain-name xxxxx

object-group network obj-192.168.2.0

object-group network obj-192.168.1.0

object-group network obj-192.168.3.0

object-group network obj-192.168.1.9

object-group network obj-192.168.1.9-01

object-group network obj-192.168.1.12

object-group network obj-192.168.1.9-02

object-group network obj-192.168.1.22

object-group network obj_any

object-group network obj_any-01

object-group network inside

network-object 192.168.1.0 255.255.255.0

object-group network vpnclients

network-object 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list smtp extended permit tcp any host 173.163.161.1 eq smtp

access-list smtp extended permit tcp any host 173.163.161.1 eq https

access-list smtp extended permit tcp any host 173.163.161.2 eq https

access-list smtp extended permit tcp any host 173.163.161.1 eq imap4

access-list smtp extended permit icmp any any unreachable

access-list smtp extended permit icmp any any time-exceeded

access-list smtp extended permit icmp any any echo-reply

access-list smtp extended permit tcp any host 173.163.x.x eq 9676

access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Throttle extended permit ip 192.168.5.0 255.255.255.0 any

access-list Throttle extended permit ip any 192.168.5.0 255.255.255.0

access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.4 eq ldap

access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq smtp

access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq 995

access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.2 eq 9676

access-list DMZ_INSIDE extended deny ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list DMZ_INSIDE extended permit ip any any

access-list outside_30_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list test webtype permit tcp 192.168.1.0 255.255.255.0 log default

pager lines 24

logging enable

logging timestamp

logging buffer-size 10000

logging buffered debugging

logging trap warnings

logging history errors

logging asdm notifications

logging host inside 192.168.1.7

logging host inside 192.168.1.3 format emblem

logging host inside 192.168.1.44

logging debug-trace

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu public 1500

mtu DMZ 1500

ip local pool xxxxxx 192.168.2.0-192.168.2.253 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 173.163.x.x netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (public) 2 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255

static (inside,outside) tcp interface imap4 192.168.1.9 imap4 netmask 255.255.255.255

static (inside,outside) tcp 173.163.x.x https 192.168.1.12 https netmask 255.255.255.255

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (DMZ,outside) 173.163.161.3 172.16.1.2 netmask 255.255.255.255

access-group smtp in interface outside

access-group DMZ_INSIDE in interface DMZ

route outside 0.0.0.0 0.0.0.0 173.163.161.6 1

route inside 10.10.1.0 255.255.255.0 192.168.1.201 1

route inside 10.10.10.0 255.255.255.0 192.168.1.46 1

route inside 10.10.20.0 255.255.255.0 192.168.1.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VpnUsers protocol radius

aaa-server VpnUsers (inside) host 192.168.1.4

timeout 5   

key E2:8Fbgyhbs

aaa-server AD_Auth protocol nt

aaa-server AD_Auth (inside) host 192.168.1.4

nt-auth-domain-controller 192.168.1.4

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 74.212.x.x 255.255.255.0 outside

snmp-server host inside 192.168.1.2 community 53cur3-n3t

snmp-server host inside 192.168.1.7 community 53cur3-n3t

snmp-server host outside 74.212.x.xcommunity L3t-th3-l1ght-1n

snmp-server location DC Server Room

snmp-server contact Dan Steier

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1300

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df inside

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 140 set pfs

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 74.42.x.x

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 30 match address outside_30_cryptomap

crypto map outside_map 30 set peer 66.152.x.x

crypto map outside_map 30 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 10

ssh 192.168.1.0 255.255.255.0 inside

ssh 74.212.x.0 255.255.255.0 outside

ssh timeout 10

ssh version 2

console timeout 0

management-access inside

dhcpd address 192.168.5.10-192.168.5.200 public

dhcpd dns 208.67.220.220 208.67.222.222 interface public

dhcpd enable public

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.1.7 c:\tftp-root

webvpn

group-policy phccabington internal

group-policy phccabington attributes

wins-server value 192.168.1.4 192.168.1.6

dns-server value 192.168.1.4 192.168.1.6

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value phcc.int

group-policy phccvpn internal

group-policy phccvpn attributes

wins-server value 192.168.1.4 192.168.1.6

dns-server value 192.168.1.4 192.168.1.6

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value

username password A5oXdNd3.3sEhzYt encrypted privilege 0

username admin password Qyt908tEpeoOu0oA encrypted

username d password IdYn1VlBhGzwvlxo encrypted privilege 15

username d attributes

vpn-group-policy phccabington

username lstech password ucUIkhrdvF2Z0BY9 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 10

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 10

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 10

tunnel-group phccvpn type remote-access

tunnel-group phccvpn general-attributes

address-pool phccabington

authentication-server-group PhccVpnUsers

default-group-policy phccvpn

tunnel-group phccvpn ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 10

tunnel-group 74.42.x.x type ipsec-l2l

tunnel-group 74.42.x.xipsec-attributes

pre-shared-key *

isakmp keepalive threshold 15 retry 10

tunnel-group 66.152.x.x type ipsec-l2l

tunnel-group 66.152.x.x ipsec-attributes

pre-shared-key *

!

class-map CM-Public

match access-list Throttle

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map PM-BWcontrol

class CM-Public

  police input 1000000

  police output 5000000

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

Thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you copy/paste the exact command used on the ASA?

The ASA generally controls ICMP messages of all kind towards it interfaces with the command "icmp"

You seem to currently have it block every type of ICMP message from any source address on the "outside"

icmp deny any outside

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you copy/paste the exact command used on the ASA?

The ASA generally controls ICMP messages of all kind towards it interfaces with the command "icmp"

You seem to currently have it block every type of ICMP message from any source address on the "outside"

icmp deny any outside

- Jouni

The actual "icmp" could be configured like this I guess

no icmp deny any outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

icmp deny any outside

- Jouni

Oops! I didn't see that...wow (feeling really dumb right now). Thanks for pointing out what I overlooked!! I removed it and I can now ping from the ASA.  Thanks

No problem,

Please mark the question as answered

- Jouni

Review Cisco Networking for a $25 gift card