Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
3
Replies

NAT problem help!

Go to solution
klncy2014
Level 1
Level 1

‎05-23-2013 07:13 PM - edited ‎03-11-2019 06:48 PM

Hello guys,

  I hope some one can help me out here. I have Cisco ASA 5520 with  a 8.4 code in GNS3.  I have a problem pinging to the internet.  On the ASA console, I can ping  to outside world, but on vpc  I cannot ping the outside world.  But I can ping the ASA Inside interface and other VLANs, no problem.   Here is my config file, please take a look and see what Im doing wrong.

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 100

no ip address

!

interface GigabitEthernet0.10

vlan 10

nameif vlan10

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0.20

vlan 20

nameif vlan20

security-level 100

ip address 20.20.20.1 255.255.255.0

!

interface GigabitEthernet1

no nameif

no security-level

no ip address

!

interface GigabitEthernet1.10

vlan 100

nameif outside

security-level 0

ip address 192.168.137.2 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network vlan10

subnet 10.10.10.0 255.255.255.0

object network vlan20

subnet 20.20.20.20.0 255.255.255.0

!

pager lines 24

mtu inside 1500

mtu vlan10 1500

mtu vlan20 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

!

object network vlan10

nat (any,outside) dynamic interface

object network vlan20

nat (any.outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.137.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0: 05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0 :02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart wa rmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-23-2013 08:23 PM

Hi,

Well you seem to have configured Dynamic PAT for the local networks so there should be no problem with NAT

You could try enabling ICMP inspection

You can use commands

fixup protocol icmp

fixup protocol icmp error

OR you can add them in the following way in a default ASA configuration

policy-map global_policy

class inspection_default

   inspect icmp

   inspect icmp error

Hope this helps

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-23-2013 08:23 PM

Hi,

Well you seem to have configured Dynamic PAT for the local networks so there should be no problem with NAT

You could try enabling ICMP inspection

You can use commands

fixup protocol icmp

fixup protocol icmp error

OR you can add them in the following way in a default ASA configuration

policy-map global_policy

class inspection_default

   inspect icmp

   inspect icmp error

Hope this helps

- Jouni

0 Helpful

Go to solution
klncy2014
Level 1
Level 1
In response to Jouni Forss

‎05-23-2013 08:31 PM

JF, thanks alot for the fast reply.  When I entered the fixup protocol icmp. I get this

converting 'fixup protocol icmp ' to MPF commands

Different version or something? Well, anyway you solved my problem .  Next step is ping by FDQN instead of IP.

Thank you again!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to klncy2014

‎05-23-2013 08:37 PM

Hi,

Glad it helped.

The reason you are seeing that message is that we are entering an old format of the "inspect" command. I didnt originally even know this was still supported until I saw it here on the forums. I have found it to be a pretty easy command to enable the ICMP Inspection instead of going under the "policy-map" configurations every time.

As I mentioned above you could have achieved the same thing in the other way too and it would have done the same configurations essentially.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card