Solved: Re: Cannot ping to server outside ASA despite permitting icmp traffic - Page 2

mav773 · ‎04-22-2022

I have a packet tracer project I am working on and I want to have it use a 5506 firewall. However, I cannot ping the 8.8.8.8 server on the outside of the firewall. I can ping the IP on the inside of the ASA, but no IP's on the outside can be pinged. The network has three routers. 2 are the active and standby routers using HSRP, and the 3rd router is the edge router that connects the 2 HSRP routers to the firewall. The ASA firewall is connected to an external router that is connected to a server. I cannot ping from a pc inside the network to the server or router on the outside of the ASA firewall.

Here is my running config for my ASA. Any ideas why this isn't working?

interface GigabitEthernet1/1

nameif inside

security-level 100

ip address 192.168.4.2 255.255.255.0

!

interface GigabitEthernet1/2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

object network INSIDE-NET

host 192.168.4.1

nat (inside,outside) static 110.1.1.52

!

route inside 192.168.4.0 255.255.255.0 192.168.4.1 1

route inside 192.168.0.0 255.255.0.0 192.168.4.1 1

route outside 0.0.0.0 0.0.0.0 10.1.1.4 1

!

access-list AL extended permit tcp any any

access-list AL extended permit icmp any any

access-list AL extended permit icmp any any echo-reply

access-list AL extended permit icmp any any unreachable

!

access-group AL in interface outside

access-group AL in interface inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect icmp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

Jon Marshall · ‎04-22-2022

Do your internal routers have routes or default routes pointing to the firewall ?

It sounds like the traffic is not being sent to the firewall so can you do a traceroute from the PC to the server and post the results.

Jon

mav773 · ‎04-22-2022

The internal routers do have a RIP routing table. I am also able to ping the inside interface of the firewall. I did a traceroute to the server first, and then I did a traceroute to the inside interface of the firewall. Here is the screenshot.

Jon Marshall · ‎04-22-2022

You can see from your traceroute 192.168.1.2 has no route to 8.8.8.8 so it is not even getting to the firewall.

You can either add a specific route for the server to both the HSRP routers (or use a default route) pointing to the edge router which also needs either a specific route or default pointing to 192.168.4.2.

Once you have done that you can probably remove the route I asked you to add to the 1941 router and as long as the NAT is setup on the ASA it should then work.

Jon

mav773 · ‎04-22-2022

Thank you so much! That's what did it. Ping is successful!

MHM Cisco World · ‎04-22-2022

Need to conifg static route in external router for retrun traffic from 8.8.8.8 to PC.

mav773 · ‎04-22-2022

I have the static route of 0.0.0.0 going to the next hop of the ASA outside IP interface. I added another static route for the 8.8.8.0 network to go to the ASA outside interface as well. Still no change.

MHM Cisco World · ‎04-22-2022

I have the static route of 0.0.0.0 going to the next hop of the ASA outside IP interface <- this config in external router ??

NO object network INSIDE-NET <- you must delete this NAT otherwise this still effect your traffic even after add new NAT

host 192.168.4.1

nat (inside,outside) static 110.1.1.52

object network INSIDE-NET

Subnet 192.168.0.0 255.255.0.0

nat (inside,outside) dynamic interface

Cannot ping to server outside ASA 5506 despite permitting icmp traffic