05-05-2016 10:26 PM - edited 03-12-2019 12:42 AM
Hi,
I have a firewall problem.Why i can't ping outside gateway 192.168.1.90?
My pc ip address is 10.10.1.1. I have set the PAT and ACL.Here is my topology as below.Please help.Thank you!
Solved! Go to Solution.
05-05-2016 11:32 PM
Hi,
Can you check if your Firewall is turned off on the PC ?
Also from the PC are you able to ping 10.10.1.1 ?
Please add a DNS server on your PC ( 4.2.2.2) and check if you can access
Regards,
Aditya
05-05-2016 10:26 PM
Here is my configASA Version 9.5(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.90 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
nameif inside2
security-level 0
ip address 3.3.3.4 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 10.10.1.0 255.255.255.0
object network abcd
subnet 10.10.1.0 255.255.255.0
object network qwert
subnet 192.168.1.0 255.255.255.0
object network source
range 10.10.1.2 10.10.1.100
object network aaaa
range 192.168.1.91 192.168.1.254
object network jjjjj
host 192.168.1.90
object network TestNet1
subnet 3.3.3.0 255.255.255.0
object network bbbb
range 192.168.1.1 192.168.1.89
object-group network d
network-object object aaaa
object-group network abcde
network-object object abcd
object-group network qwer
network-object object qwert
object-group network sourceaddress
network-object object source
object-group network s
network-object 10.10.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq www
service-object icmp echo
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object icmp echo
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp
service-object icmp echo
service-object tcp-udp destination eq www
object-group network DM_INLINE_NETWORK_1
network-object object aaaa
network-object object jjjjj
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any a ny
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 an y any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 a ny any
access-list allow_ping_outside extended permit object-group DM_INLINE_SERVICE_4 any interface outside
access-list allow_ping extended permit object-group DM_INLINE_SERVICE_5 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit 10.10.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit 10.10.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
route-map abc permit 1
match ip address global_access
match ip next-hop global_access
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map global-class
match default-inspection-traffic
class-map inside-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
policy-map outside-policy
class outside-class
inspect icmp
inspect icmp error
policy-map global-policy
class global-class
inspect icmp
policy-map inside-policy
class inside-class
inspect icmp
inspect icmp error
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy inside-policy interface inside
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a31062de89ab14e1b8659eae7a8155de
: end
05-05-2016 10:44 PM
Hi Kelvin,
By
For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.
Here is the document for the same:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/access_management.html#wp1214986
Regards,
Aditya
Please rate helpful posts and mark correct answers.
05-05-2016 11:00 PM
But my pc 10.10.1.9 can't ping any address .
Did i set my NAT rules wrong?
My problem is inside address can't ping any outside address,even i have set the nat rules.
05-05-2016 11:04 PM
Hi,
NAT rules are fine.
Share the packet tracer output :
packet-tracer input inside
Regards,
Aditya
05-05-2016 11:06 PM
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 an y any
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq www
service-object icmp echo
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f43d3008750, priority=13, domain=permit, deny=false
hits=491, user_data=0x7f43ccd7ebc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic obj_any interface dns
Additional Information:
Dynamic translate 10.10.1.9/0 to 192.168.1.90/24740
Forward Flow based lookup yields rule:
in id=0x7f43d2480ef0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7f43d318cef0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f43d18fefc0, priority=0, domain=nat-per-session, deny=true
hits=108033, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0 , protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f43d23fb050, priority=0, domain=inspect-ip-options, deny=true
hits=7644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inside-class
match default-inspection-traffic
policy-map inside-policy
class inside-class
inspect icmp
service-policy inside-policy interface inside
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f43d3034780, priority=72, domain=inspect-icmp, deny=false
hits=1, user_data=0x7f43d249a500, cs_id=0x0, use_real_addr, flags=0x0, p rotocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f43d249d230, priority=72, domain=inspect-icmp-error, deny=false
hits=1, user_data=0x7f43d249c630, cs_id=0x0, use_real_addr, flags=0x0, p rotocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map outside-class
match default-inspection-traffic
policy-map outside-policy
class outside-class
inspect icmp
service-policy outside-policy interface outside
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f43d302be30, priority=72, domain=inspect-icmp, deny=false
hits=5, user_data=0x7f43d302a9d0, cs_id=0x0, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f43d302f800, priority=72, domain=inspect-icmp-error, deny=false
hits=5, user_data=0x7f43d302d960, cs_id=0x0, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic obj_any interface dns
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f43d320fe00, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7f43cfc3a660, cs_id=0x0, use_real_addr, flags=0x0, p rotocol=0
src ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f43d18fefc0, priority=0, domain=nat-per-session, deny=true
hits=108035, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0 , protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f43d2394270, priority=0, domain=inspect-ip-options, deny=true
hits=40260, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44469, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow
05-05-2016 11:12 PM
Hi,
Can you please remove this config :
no service-policy outside-policy interface outside
no service-policy inside-policy interface inside
Also are you able to ping 192.168.1.1 ?
Can you check the
show arp
Regards,
Aditya
05-05-2016 11:27 PM
My firewall can ping 192.168.1.1 , can ping 8.8.8.8 , can ping 10.10.1.9 , can ping 10.10.1.1.here is my arp table as below.
After
no service-policy outside-policy interface outside
no service-policy inside-policy interface inside
But my pc 10.10.1.9 still can't ping any address.
05-05-2016 11:32 PM
Hi,
Can you check if your Firewall is turned off on the PC ?
Also from the PC are you able to ping 10.10.1.1 ?
Please add a DNS server on your PC ( 4.2.2.2) and check if you can access
Regards,
Aditya
05-05-2016 11:37 PM
HEY!!!
THANK YOU SO MUCH!!!
after i type the dns 4.2.2.2 i can access the internet now!!
thank you so much!!
05-05-2016 11:40 PM
Hi kelvin,
Glad to assist.
I would request you to close the discussion.
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide