Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
1
Helpful
4
Replies

Ping Issues between ASA and Router NAT

hatvani-balazs-04
Level 1
Level 1

‎03-29-2025 04:50 PM

 Ping Issues between ASA and Router - Access-list 99 Impact (Access-list 101 not the issue)

Problem Description:

I'm experiencing ping connectivity issues between two networks: 192.168.110.0/25 (behind an ASA firewall) and 172.16.20.0/24 (behind a Cisco router - T-R1).

Initially, the T-R1 router had NAT configured, and an access-list 99 (permit 172.16.20.0 0.0.0.255) was in place. Pings from the 192.168.110.0/25 network were not successful.

After removing the NAT configuration from the T-R1 router, I found that removing the access-list 99 resolved the ping issue. So it seems that the access-list 99 was the culprit.

I also have an access-list 101 on the T-R1 router, but I don't believe this is causing the issue, as pings work fine once access-list 99 is removed.

ASA Version 9.6(1)

!

hostname GYASA

names

!

interface GigabitEthernet1/1

nameif belso1

security-level 100

ip address 192.168.110.1 255.255.255.128

ipv6 address 2001:CB10:110::1/64

!

interface GigabitEthernet1/2

nameif belso2

security-level 100

ip address 192.168.120.1 255.255.255.128

ipv6 address 2001:CB20:120::1/64

!

interface GigabitEthernet1/3

nameif kulso

security-level 0

ip address 10.0.0.34 255.255.255.252

ipv6 address 2001:CB1:50::2/64

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

shutdown

!

object network belsohalo1

subnet 192.168.110.0 255.255.255.128

nat (belso1,kulso) dynamic interface

object network belsohalo2

subnet 192.168.120.0 255.255.255.128

nat (belso2,kulso) dynamic interface

!

route kulso 0.0.0.0 0.0.0.0 10.0.0.33 1

!

access-list inside_to_internet extended permit tcp any any

access-list inside_to_internet extended permit icmp any any

access-list KIVULROL_BE extended deny ip any 192.168.110.0 255.255.255.0

access-list KIVULROL_BE extended deny ip any 192.168.120.0 255.255.255.0

access-list KIVULROL_BE extended deny ip any any

access-list KIVULROL_BE extended permit tcp any any eq www

access-list KIVULROL_BE extended permit tcp any any eq 443

access-list KIVULROL_BE extended permit tcp any any eq 1883

access-list KIVULROL_BE extended permit tcp any any eq 8883

access-list KIVULROL_BE extended deny tcp any any eq telnet

access-list KIVULROL_BE extended deny tcp any any eq ftp

access-list KIVULROL_BE extended deny icmp any any

access-list KIVULROL_BE extended permit icmp any any echo

access-list KIVULROL_BE extended permit ip any any

!

!

access-group inside_to_internet in interface kulso

!

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

dhcpd address 192.168.110.10-192.168.110.50 belso1

dhcpd dns 192.168.40.10 interface belso1

dhcpd enable belso1

!

dhcpd address 192.168.120.10-192.168.120.50 belso2

dhcpd dns 192.168.40.10 interface belso2

dhcpd enable belso2

!

!

!

!

router ospf 10

log-adjacency-changes

network 192.168.110.0 255.255.255.128 area 110

network 192.168.120.0 255.255.255.128 area 120

Current configuration : 1580 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Cloud

!

!

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO2911/K9 sn FTX1524GKA5-

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 10.0.0.25 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.0.0.33 255.255.255.252

duplex auto

speed auto

ipv6 address 2001:CB1:50::1/64

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/0

ip address 10.0.0.6 255.255.255.252

ipv6 address 2001:CB1:10::1/64

ipv6 enable

!

interface GigabitEthernet0/1/0

ip address 10.0.0.10 255.255.255.252

ipv6 address 2001:CB1:40::1/64

ipv6 enable

!

interface GigabitEthernet0/2/0

ip address 10.0.0.2 255.255.255.252

ipv6 address 2001:CB1:30::1/64

!

interface GigabitEthernet0/3/0

no ip address

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

router-id 20.20.20.20

log-adjacency-changes

redistribute static subnets

passive-interface GigabitEthernet0/0

network 10.0.0.4 0.0.0.3 area 0

network 10.0.0.0 0.0.0.3 area 0

network 10.0.0.8 0.0.0.3 area 0

network 10.0.0.24 0.0.0.3 area 0

network 10.0.0.32 0.0.0.3 area 0

!

ip classless

ip route 192.168.100.0 255.255.255.0 GigabitEthernet0/0

ip route 209.100.1.0 255.255.255.0 10.0.0.9

ip route 192.168.110.0 255.255.255.128 10.0.0.34

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

T-R1(config)#do sh run

Building configuration...

 

Current configuration : 1351 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname T-R1

!

!

!

!

!

!

!

!

no ip cef

ipv6 unicast-routing

!

no ipv6 cef

!

!

!

!

license udi pid CISCO2911/K9 sn FTX1524HHGL-

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 10.0.0.21 255.255.255.252

ip nat inside

duplex auto

speed auto

ipv6 address 2001:DB8:2::1/64

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

ipv6 enable

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/3/0

ip address 10.0.0.9 255.255.255.252

ip access-group 101 in

ip nat outside

ipv6 address 2001:CB1:40::2/64

ipv6 address autoconfig

ipv6 enable

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

router-id 30.30.30.30

log-adjacency-changes

network 10.0.0.8 0.0.0.3 area 0

network 10.0.0.20 0.0.0.3 area 0

!

ip nat pool Dynamic-tb 201.100.100.1 201.100.100.100 netmask 255.255.255.0

ip nat inside source list 1 pool Dynamic-tb

ip nat inside source static 172.16.10.10 209.100.1.1

ip classless

ip route 192.168.110.0 255.255.255.128 10.0.0.34

!

ip flow-export version 9

!

!

access-list 1 permit 172.16.20.0 0.0.0.255

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎03-29-2025 05:06 PM

Can You share topolgy? I see two routers and one asa.

Also can you more elaborate about ospf ypu use' I see static and ospf 

MHM

hatvani-balazs-04
Level 1
Level 1
In response to MHM Cisco World

‎03-30-2025 02:13 AM

Hello!

I uploaded the whole project to Drive so you can download it from here. Thanks in advance!


ping issue asa - > router 

0 Helpful

MHM Cisco World
VIP
VIP
In response to hatvani-balazs-04

‎04-01-2025 05:02 AM

Sorry I can not open PKT file.

I dont use packet tracer anymore.

Hope other help you.

MHM

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎04-01-2025 04:32 AM

Here are my thoughts, the ping connectivity issue between 192.168.110.0/25 (ASA) and 172.16.20.0/24 (T-R1) stems from a combination of NAT configuration and access-list conflicts on T-R1. let me break it down.

NAT Configuration Conflict T-R1 originally had
ip nat inside source list 1 pool Dynamic-tb
access-list 1 permit 172.16.20.0 0.0.0.255

This caused source IP translation for traffic originating from 172.16.20.0/24 when exiting T-R1's NAT outside interface. Return traffic to the ASA (from 172.16.20.x) was rewritten with NAT pool IPs (201.100.100.x), which the ASA didn’t recognize as valid responses to original pings.

On the ASA nat configuration

The ASA’s belso1 interface uses dynamic PAT
nat (belso1,kulso) dynamic interface

Outbound pings from 192.168.110.0/25 were already being translated to the ASA’s kulso  interface IP (10.0.0.34). T-R1 additional NAT created a double-NAT scenario breaking the ICMP echo-reply path consistency.


With NAT enabled, T-R1’s access-list 1 allowed NAT for 172.16.20.0/24 but blocked non-NATted traffic from 192.168.110.0/25 due to implicit deny in NAT rules. After removing NAT and access-list 1, traffic flowed natively via the static route.

ip route 192.168.110.0 255.255.255.128 10.0.0.34

ensuring unmodifed bidirectional communication. Why Access-List 101 Wasn’t the Issue. 

Access-list 101 on T-R1’s Gig0/3/0 inbound

interface Gig0/3/0
  ip access-group 101 in

Only filters incoming traffic to T-R1’s NAT outside interface, not affecting outbound responses to the ASA

Workaround:

Removing NAT eliminated IP translation conflicts.

Removing access-list 1 (misidentified as 99 in the query) stopped unintended filtering of non-NATted traffic

Apply these configuration on the ASA.

access-list KIVULROL_BE extended permit icmp any any echo
access-list KIVULROL_BE extended permit icmp any any echo-reply

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card