Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2953
Views
0
Helpful
5
Replies

Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Abdul Mateen
Level 1
Level 1

‎08-13-2020 02:33 AM

I have a simple topology where two inside VLANS have HSRP Gateways needs to access Internet through ASA. 

I can ping the inside Interface of ASA 5506 (Packet Tracer Simulator) from PC/Laptop but cant able to ping the Internet Router. Can any one share the valid solution with explanation for ASA config as i possibly think its a NAT issue. 
Screenshot+ ASA Config attached.

 

 

SharedScreenshot.jpgSharedScreenshot2.jpg

Preview file
2 KB
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-13-2020 02:41 AM

Hi,
In order to ping through your ASA, you either need to permit the return icmp traffic or enable ICMP inspection. Run the command "fixup protocol icmp" to enable ICMP inspection.

NAT your traffic behind the ASA's interface, amend your existing NAT to "nat (inside2,outside) dynamic interface"
0 Helpful

Abdul Mateen
Level 1
Level 1
In response to Rob Ingram

‎08-13-2020 02:57 AM

Thanks for your reply.

I am untouch from ASA quite long.
I would be glad if you please enlighten me a bit about NAT (Static &
Dynamic) operation in ASA in and exact commands to make it work.
Also fixup protocol icmp is not working in ASA Packet Tracer.
[image: image.png]
0 Helpful

Rob Ingram
VIP
VIP
In response to Abdul Mateen

‎08-13-2020 03:10 AM

The image is not displayed, does packet tracer no like the command?
Amend you not NAT like below.

object network inside_inet
no (inside2,outside) static 172.16.10.0
nat (inside2,outside) dynamic interface

You NAT assumes that traffic is coming via "inside2" interface, you also have "inside" interface and would need a NAT rule for that.
0 Helpful

Abdul Mateen
Level 1
Level 1
In response to Rob Ingram

‎08-18-2020 12:37 AM

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
security-level 100
ip address dhcp
shutdown
!
interface GigabitEthernet1/3
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside_inet
subnet 192.168.50.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
route inside 172.16.10.0 255.255.255.0 192.168.50.2 1
route inside 192.168.10.0 255.255.255.0 192.168.50.2 1
route inside 192.168.20.0 255.255.255.0 192.168.50.2 1
!
!
!
object network inside_inet
nat (inside,outside) dynamic interface
!
!
!
!
class-map C1
match default-inspection-traffic
!
policy-map P1
class C1
inspect icmp
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ciscoasa#
0 Helpful

Abdul Mateen
Level 1
Level 1
In response to Abdul Mateen

‎08-18-2020 12:54 AM

I have modified a little in the topology and add a L3 Switch before ASA. 

I can now ping ASA internal interface from desktop computer but cant be able to reach the internet. 
ASA config attached.
SharedScreenshot.jpg
Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card