cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4395
Views
5
Helpful
10
Replies

Cannot ping other interface (ASA 5506-x problem)

kelvin.lui11
Level 1
Level 1

Hi,

I have a firewall problem.Why i can't ping outside gateway 192.168.1.90?

My pc ip address is 10.10.1.1. I have set the PAT and ACL.Here is my topology as below.Please help.Thank you!

1 Accepted Solution

Accepted Solutions

Hi,

Can you check if your Firewall is turned off on the PC ?

Also from the PC are you able to ping 10.10.1.1 ?

Please add a DNS server on your PC ( 4.2.2.2) and check if you can access Internet under the TCP/IPV4 settings.

Regards,

Aditya

View solution in original post

10 Replies 10

kelvin.lui11
Level 1
Level 1

Here is my configASA Version 9.5(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.1.90 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 nameif inside2
 security-level 0
 ip address 3.3.3.4 255.255.255.0
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 10.10.1.0 255.255.255.0
object network abcd
 subnet 10.10.1.0 255.255.255.0
object network qwert
 subnet 192.168.1.0 255.255.255.0
object network source
 range 10.10.1.2 10.10.1.100
object network aaaa
 range 192.168.1.91 192.168.1.254
object network jjjjj
 host 192.168.1.90
object network TestNet1
 subnet 3.3.3.0 255.255.255.0
object network bbbb
 range 192.168.1.1 192.168.1.89
object-group network d
 network-object object aaaa
object-group network abcde
 network-object object abcd
object-group network qwer
 network-object object qwert
object-group network sourceaddress
 network-object object source
object-group network s
 network-object 10.10.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object icmp
 service-object icmp6
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object icmp
 service-object tcp-udp destination eq echo
 service-object tcp-udp destination eq www
 service-object tcp destination eq echo
 service-object tcp destination eq www
 service-object icmp echo
object-group service DM_INLINE_SERVICE_3
 service-object ip
 service-object icmp
 service-object icmp echo
 service-object tcp-udp destination eq www
 service-object tcp destination eq www
 service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_4
 service-object ip
 service-object icmp
 service-object icmp echo
object-group service DM_INLINE_SERVICE_5
 service-object ip
 service-object icmp
 service-object icmp echo
 service-object tcp-udp destination eq www
object-group network DM_INLINE_NETWORK_1
 network-object object aaaa
 network-object object jjjjj
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any a                                                                             ny
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 an                                                                             y any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 a                                                                             ny any
access-list allow_ping_outside extended permit object-group DM_INLINE_SERVICE_4                                                                              any interface outside
access-list allow_ping extended permit object-group DM_INLINE_SERVICE_5 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit 10.10.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit 10.10.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!
route-map abc permit 1
 match ip address global_access
 match ip next-hop global_access

!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 outside
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map global-class
 match default-inspection-traffic
class-map inside-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
class-map outside-class
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
policy-map outside-policy
 class outside-class
  inspect icmp
  inspect icmp error
policy-map global-policy
 class global-class
  inspect icmp
policy-map inside-policy
 class inside-class
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy inside-policy interface inside
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a31062de89ab14e1b8659eae7a8155de
: end

Hi Kelvin,

By design ASA would not allow you to ping an interface IP if you come from a different interface.

For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.


Here is the document for the same:


http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/access_management.html#wp1214986

Regards,

Aditya

Please rate helpful posts and mark correct answers.

But my pc 10.10.1.9 can't ping any address .

Did i set my NAT rules wrong?

My problem is inside address can't ping any outside address,even i have set the nat rules.

Hi,

NAT rules are fine.

Share the packet tracer output :

packet-tracer input inside icmp 10.10.1.9 8 0 4.2.2.2 det

Regards,

Aditya

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.1 using egress ifc  outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 an                                                                             y any
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object icmp
 service-object tcp-udp destination eq echo
 service-object tcp-udp destination eq www
 service-object tcp destination eq echo
 service-object tcp destination eq www
 service-object icmp echo
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f43d3008750, priority=13, domain=permit, deny=false
        hits=491, user_data=0x7f43ccd7ebc0, cs_id=0x0, use_real_addr, flags=0x0,                                                                              protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic obj_any interface dns
Additional Information:
Dynamic translate 10.10.1.9/0 to 192.168.1.90/24740
 Forward Flow based lookup yields rule:
 in  id=0x7f43d2480ef0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7f43d318cef0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f43d18fefc0, priority=0, domain=nat-per-session, deny=true
        hits=108033, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0                                                                             , protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f43d23fb050, priority=0, domain=inspect-ip-options, deny=true
        hits=7644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inside-class
 match default-inspection-traffic
policy-map inside-policy
 class inside-class
  inspect icmp
service-policy inside-policy interface inside
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f43d3034780, priority=72, domain=inspect-icmp, deny=false
        hits=1, user_data=0x7f43d249a500, cs_id=0x0, use_real_addr, flags=0x0, p                                                                             rotocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f43d249d230, priority=72, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0x7f43d249c630, cs_id=0x0, use_real_addr, flags=0x0, p                                                                             rotocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map outside-class
 match default-inspection-traffic
policy-map outside-policy
 class outside-class
  inspect icmp
service-policy outside-policy interface outside
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f43d302be30, priority=72, domain=inspect-icmp, deny=false
        hits=5, user_data=0x7f43d302a9d0, cs_id=0x0, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f43d302f800, priority=72, domain=inspect-icmp-error, deny=false
        hits=5, user_data=0x7f43d302d960, cs_id=0x0, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic obj_any interface dns
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f43d320fe00, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7f43cfc3a660, cs_id=0x0, use_real_addr, flags=0x0, p                                                                             rotocol=0
        src ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f43d18fefc0, priority=0, domain=nat-per-session, deny=true
        hits=108035, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0                                                                             , protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f43d2394270, priority=0, domain=inspect-ip-options, deny=true
        hits=40260, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44469, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi,

Can you please remove this config :

no service-policy outside-policy interface outside
no service-policy inside-policy interface inside

Also are you able to ping 192.168.1.1 ?

Can you check the arp on the ASA ?

show arp 

Regards,

Aditya

My firewall can ping 192.168.1.1 , can ping 8.8.8.8 , can ping 10.10.1.9 , can ping 10.10.1.1.here is my arp table as below.

After

no service-policy outside-policy interface outside
no service-policy inside-policy interface inside

But my pc 10.10.1.9 still can't ping any address.

Hi,

Can you check if your Firewall is turned off on the PC ?

Also from the PC are you able to ping 10.10.1.1 ?

Please add a DNS server on your PC ( 4.2.2.2) and check if you can access Internet under the TCP/IPV4 settings.

Regards,

Aditya

HEY!!!

THANK YOU SO MUCH!!!

after i type the dns 4.2.2.2 i can access the internet now!!

thank you so much!!

Hi kelvin,

Glad to assist.

I would request you to close the discussion.

Regards,

Aditya

Review Cisco Networking for a $25 gift card