Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
5
Replies

Devices unable to reach the Internet

Go to solution
jf1134
Level 1
Level 1

‎07-28-2021 08:26 AM

I need so help trying to figure out a problem that I am having.. I have a switch connected to my ASA.. From the ASA I can get out to the internet and I can ping the internal switch. From the switch I can ping the internal IP of the ASA but I can't ping 8.8.8.8

 

On the ASA I have a route: route outside 0.0.0.0 0.0.0.0 50.242.252.134 1 

On the Switch I have a route: ip route 0.0.0.0 0.0.0.0 172.16.128.2

 

I can't figure out what I am missing here in order for the switch to be able to get out to the internet

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-28-2021 08:58 AM

ASA by nature it blocks the Ping from inside.

 

Things required to check is the NAT enabled for the 172.16.128.x address

 

If the IP are different than  172.16.128.X then you need to route back from ASA to switch.

 

here is some guide : (ignore DMZ part)

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎07-28-2021 08:45 AM - edited ‎07-28-2021 08:53 AM

@jf1134 

Do you have NAT configured on the ASA for the network that the ping is sourced from?

If you do, do you have an ACL to permit icmp echo replies or MPF to inspect icmp? If not run "fixup protocol icmp" to allow icmp inspection.

If you are still having an issue run packet-tracer from the CLI and provide the output for review. E.g. - "packet-tracer input INSIDE icmp <source ip> 8 0 8.8.8.8"

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-28-2021 08:58 AM

ASA by nature it blocks the Ping from inside.

 

Things required to check is the NAT enabled for the 172.16.128.x address

 

If the IP are different than  172.16.128.X then you need to route back from ASA to switch.

 

here is some guide : (ignore DMZ part)

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jf1134
Level 1
Level 1
In response to balaji.bandi

‎07-28-2021 09:36 AM

I added that NAT rule from the document but still seeing the same thing. Can't get out to the internet. 

 

So I can ping the internal IP of the ASA from the switch now. I just can't get past the ASA

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jf1134

‎07-28-2021 10:12 AM

@Rob Ingram wrote:

If you do, do you have an ACL to permit icmp echo replies or MPF to inspect icmp? If not run "fixup protocol icmp" to allow icmp inspection.

 

If you are still having an issue run packet-tracer from the CLI and provide the output for review. E.g. - "packet-tracer input INSIDE icmp <source ip> 8 0 8.8.8.8"

Did you check what I suggested previously? ...because by default a ping won't be permitted until you either define an ACL or inspect icmp. Run the command "fixup protocol icmp" from the CLI.

 

If that doesn't work by running packet-tracer, will indicate what nat rule (if any) is being match and whether the traffic should be allowed/denied.

0 Helpful

Go to solution
jf1134
Level 1
Level 1
In response to Rob Ingram

‎07-28-2021 10:15 AM

It's working now.. I messed up the NAT rule the first time I did..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card