Solved: Cannot ping to server outside ASA 5506 despite permitting icmp traffic

mav773 · ‎04-22-2022

I have a packet tracer project I am working on and I want to have it use a 5506 firewall. However, I cannot ping the 8.8.8.8 server on the outside of the firewall. I can ping the IP on the inside of the ASA, but no IP's on the outside can be pinged. The network has three routers. 2 are the active and standby routers using HSRP, and the 3rd router is the edge router that connects the 2 HSRP routers to the firewall. The ASA firewall is connected to an external router that is connected to a server. I cannot ping from a pc inside the network to the server or router on the outside of the ASA firewall.

Here is my running config for my ASA. Any ideas why this isn't working?

interface GigabitEthernet1/1

nameif inside

security-level 100

ip address 192.168.4.2 255.255.255.0

!

interface GigabitEthernet1/2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

object network INSIDE-NET

host 192.168.4.1

nat (inside,outside) static 110.1.1.52

!

route inside 192.168.4.0 255.255.255.0 192.168.4.1 1

route inside 192.168.0.0 255.255.0.0 192.168.4.1 1

route outside 0.0.0.0 0.0.0.0 10.1.1.4 1

!

access-list AL extended permit tcp any any

access-list AL extended permit icmp any any

access-list AL extended permit icmp any any echo-reply

access-list AL extended permit icmp any any unreachable

!

access-group AL in interface outside

access-group AL in interface inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect icmp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

Jon Marshall · ‎04-22-2022

You can see from your traceroute 192.168.1.2 has no route to 8.8.8.8 so it is not even getting to the firewall.

You can either add a specific route for the server to both the HSRP routers (or use a default route) pointing to the edge router which also needs either a specific route or default pointing to 192.168.4.2.

Once you have done that you can probably remove the route I asked you to add to the 1941 router and as long as the NAT is setup on the ASA it should then work.

Jon

View solution in original post

Rob Ingram · ‎04-22-2022

@mav773 are you sure your NAT address (110.1.1.52) is correct?

Run packet-tracer from the CLI and provide the output "packet-tracer input inside icmp 192.168.4.1 8 0 8.8.8.8".

mav773 · ‎04-22-2022

Hi Rob, thank you for your reply. I'm having trouble running that command. I pasted it in the ASA CLI but I keep getting "Invalid input detected at '^' marker." pointing to the word "packet" in the command. I can't find any solutions online, what am I doing wrong?

Rob Ingram · ‎04-22-2022

@mav773 please provide a screenshot of what you pasted and the error.

Is that NAT address correct or not?

mav773 · ‎04-22-2022

Here is the screenshot. I changed the NAT address recently from 192.168.4.2 to the current one. Is the NAT address supposed to match something? I thought it didn't matter what the NAT address was because it's translated from the host IP, so I don't know if it is correct or not.

Rob Ingram · ‎04-22-2022

@mav773 well 110.1.1.52 would need to be routed to the outside interface of the ASA, otherwise upstream devices won't know how to route the return packet. Use 10.1.1.52 which is in the same network as the ASA's outside interface or NAT behind the ASA's outside interface.

Looks like you are using packet tracer application?....perhaps packet-tracer does not work using this application.

mav773 · ‎04-22-2022

Okay, I changed the IP to 10.1.1.52, thanks for explaining that. Yes, I am using the Cisco Packet Tracer application.

Rob Ingram · ‎04-22-2022

@mav773 did that resolve the issue?

mav773 · ‎04-22-2022

No, same issue. When I try to ping the outside network from a PC inside the network, it still says destination host unreachable.

Rob Ingram · ‎04-22-2022

@mav773 that host is 192.168.4.1 right? .....your nat rule only applies to that ip

Can you ping 8.8.8.8 directly from the ASA itself?

mav773 · ‎04-22-2022

The PC I am pinging from is 192.168.1.100. The router is the one with the 192.168.4.1 address. I will attach a screenshot of the network diagram.

The ASA can ping 8.8.8.8 and has a 100% success rate.

Rob Ingram · ‎04-22-2022

@mav773 well that would not be natted, only traffic from the host 192.168.4.1 would be translated.

Unless you are not expecting to translate the trafffic?

You can create a NAT rule cover all your internal networks, example:-

object network INSIDE-NET
 subnet 192.168.0.0 255.255.0.0
 nat (inside,outside) dynamic interface

mav773 · ‎04-22-2022

That makes sense, I changed the NAT rule to that one. Unfortunately, I am still getting the same issue when pinging from a PC to the outside server.

Jon Marshall · ‎04-22-2022

Just to rule out a NAT issue, on the 1941 router can you add this route as a test -

ip route 192.168.0.0 255.255.0.0 10.1.1.2

and then try pinging.

Jon

mav773 · ‎04-22-2022

Hi Jon, thank you for your reply. I ran that command and I am still getting the same "Destination host unreachable" response after pinging.