05-23-2013 07:13 PM - edited 03-11-2019 06:48 PM
Hello guys,
I hope some one can help me out here. I have Cisco ASA 5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. Here is my config file, please take a look and see what Im doing wrong.
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0.10
vlan 10
nameif vlan10
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0.20
vlan 20
nameif vlan20
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1.10
vlan 100
nameif outside
security-level 0
ip address 192.168.137.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vlan10
subnet 10.10.10.0 255.255.255.0
object network vlan20
subnet 20.20.20.20.0 255.255.255.0
!
pager lines 24
mtu inside 1500
mtu vlan10 1500
mtu vlan20 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
!
object network vlan10
nat (any,outside) dynamic interface
object network vlan20
nat (any.outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0: 05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0 :02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart wa rmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
Solved! Go to Solution.
05-23-2013 08:23 PM
Hi,
Well you seem to have configured Dynamic PAT for the local networks so there should be no problem with NAT
You could try enabling ICMP inspection
You can use commands
fixup protocol icmp
fixup protocol icmp error
OR you can add them in the following way in a default ASA configuration
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Hope this helps
- Jouni
05-23-2013 08:23 PM
Hi,
Well you seem to have configured Dynamic PAT for the local networks so there should be no problem with NAT
You could try enabling ICMP inspection
You can use commands
fixup protocol icmp
fixup protocol icmp error
OR you can add them in the following way in a default ASA configuration
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Hope this helps
- Jouni
05-23-2013 08:31 PM
JF, thanks alot for the fast reply. When I entered the fixup protocol icmp. I get this
converting 'fixup protocol icmp ' to MPF commands
Different version or something? Well, anyway you solved my problem . Next step is ping by FDQN instead of IP.
Thank you again!
05-23-2013 08:37 PM
Hi,
Glad it helped.
The reason you are seeing that message is that we are entering an old format of the "inspect" command. I didnt originally even know this was still supported until I saw it here on the forums. I have found it to be a pretty easy command to enable the ICMP Inspection instead of going under the "policy-map" configurations every time.
As I mentioned above you could have achieved the same thing in the other way too and it would have done the same configurations essentially.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide