Hi Jouni

Thanks for your reply,

"You also mentioned that you can't PING / ICMP some host behind the ASA "outside" interface? I presume you mean that some host behind "inside" interface cant PING / ICMP a host behind "outside" interface.", That is exactly what I meant.

I can ping inside interface on ASA from vmnet2 and vice versa

I can ping outside interface on ASA from LAN and vice versa (a default route has been configured as you can see on the running-config)

does NAT have to be configured in this case for ping to take place?

I am only new to networking so I am probably asking dumb question, (pardon me if I am)

thanks

Hi,

Was I was thinking looking at your picture was this.

• You have network 10.0.1.0/24 connected to the ASA "inside" interface
• You have network 192.168.1.0/24  connected to the ASA "outside" interface
• You probably have some other network on some other interface on the Router which is your actual LAN network. For examples sake lets say its 172.16.1.0/24

Now imagine the situation where a host 10.0.1.100 sends ICMP Echo to the remote host 172.16.1.100

• Host 10.0.1.100 sends ICMP to its default gateway which is ASA
• ASA uses the default route to forward the packet to the Router
• Router has the connected network 172.16.1.0/24 and therefore can forward the packet to the host 172.16.1.100 directly
• Host 172.16.1.100 will send ICMP Echo Reply back to its default gateway (f0/1 I guess)
• The Router is missing a route for network 10.0.1.0/24 and therefore doesnt know where to forward the packet.
• Host 10.0.1.100 will never receive a reply

Naturally if you have a Static route configured on the Router that tells the router that the network 10.0.1.0/24 is found behind the ASA then there must be some other problem.

If you were to configure Dynamic PAT translation for the hosts on the network 10.0.1.0/24 they would be translated to the IP address 192.168.1.2 of the ASA. This would essentially remove the above problem with missing route as the users would be visible with another IP address to the LAN 172.16.1.0/24 and therefore the ICMP Echo reply would find its way back to the ASA (and the host 10.0.1.100). Mainly because the router sees the network 192.168.1.0/24 as directly connected and therefore knows where to forward traffic destined to the IP 192.168.1.2 (that is used for Dynamic PAT)

Hope this makes sense

- Jouni

This totally makes sense, Thanks a lot Jouni

I must ve configured something wrong, the problem still stands, still cant ping through the firewall (cant ping the remote host)

i havent created any service policy for icmp inspection, would that be the cause? (but i have created ACLs for this purpose tho)

Regards

Hi Jouni, sorry about the lateness in reply, I finished work at 4pm yesterday.

I have created a route on the router in front of ASA: -

ip route 10.0.1.0 255.255.255.0 192.168.1.2

the device behind the ASA inside interface has a default gateway of 192.168.1.2 (which is the outside interface ip address of the ASA)

I will give packet-tracer a try and report back later today

Thanks

Hi Jouni

It is working now!!!!!!!!!! Thanks so much for your help

you were absolutely right on your last post

"Have you confirmed that the device behind the ASA "inside" interface has default gateway configured correctly?"

I didnt, I got the wrong gateway address for the inside host, instead of giving it the default gateway address of the inside interface address of ASA (10.0.1.1), I gave it the outside interface address (192.168.1.2).. (as I mentioned before, I am a newbie lol)

so I entered the right default way address, created a ACL to permit icmp (didnt even bother with echo-reply) and then IT WORKED..

I double checked the default gateway address on the outside host just in case and it appeared to be the right one

No NAT configured yet

Thanks again for your help Jouni