cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

692
Views
10
Helpful
14
Replies
Highlighted
Beginner

Pinging through ASA from Outside

Hi everyone,

I have this basic scenario:

(LAN) --------- (ASA) ---------- (DSL Router) ---------- (Internet)

I am able to ping the DSL Router from the LAN but not vice versa. Is it a common case with the ASA deployed in between or am I missing something?

I have an explicitly written extended ACL to permit ip any any.

Any sharing thought is appreciated, thank you.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

As you can see in the packet-tracer output the packet is being NATTED behind the outside interface.

 

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN1
nat (inside,outside) dynamic interface
Additional Information:

 

I do not see the NAT exemption rule in your configuration, either add it (using the example I previously provided) or temporarily remove the dynamic NAT.

View solution in original post

Highlighted

192.168.1.1 is the inside IP address of your ASA, so I'd expect your test to fail. The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface (outside) to a far interface (inside).

Ping through the ASA to test, not to the ASA.

View solution in original post

14 REPLIES 14
Highlighted
VIP Advisor

Hi,

Do you have NAT configured for inbound and outbound traffic? I assume you do.

for outbound traffic you probably have a dynamic NAT rule, for all internal traffic to be natted behind the firewall.

 

For inbound traffic you would need to add a static NAT (in addition to the ACL you have in place), however normally you would not want to ping inbound from the internet to the local LAN.

Highlighted

Hi Rob,

I did not implement NAT for inbound traffic. As for the outbound traffic, I have dynamic NAT.

Anyways, here's the configuration of the ASA.

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp

!

object network LAN1

subnet 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

!

access-list LAN1 extended permit ip any any

!

access-group LAN1 in interface outside

object network LAN1

nat (inside,outside) dynamic interface

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 192.168.1.1 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

I didn't find a necessity implementing NAT from inside-to-outside and from outside-to-inside as I'm dealing with private networks 192.168.1.0/24 (LAN) and 10.10.10.0/24 (Outside). I kept NAT from inside-to-outside though.

Highlighted


Because you have NAT configured from inside to outside, the reply to the inside network will be NATTED. If you do not wish traffic from inside network to the ISP network on the outside, you should define a NAT exemption rule, traffic would now not be natted between those 2 networks. You need to ensure that the ISP router has a route to the 192.168.1.0/24 network via the ASA.

 

Example NAT exemption config:-

object network ISP 
subnet 10.10.10.0 255.255.255.0

nat (inside,outside) source static LAN1 LAN1 destination static ISP ISP no-proxy-arp

HTH

Highlighted

But what sparked my concern is that if the security-level of outside (0), is supposedly been omitted, then the ICMP packets would successfully get through from outside-to-inside, something which made me think that it is more related to ACL rather than NAT... maybe I am wrong!

Having said that, I didn't have an issue with PING replies getting through the ASA from outside-to-inside when the PING requests have been initiated from the inside.

I hope I am being clear in explaining what I meant...

Anyways, I will try to implement the exemption of NAT that you suggested in the previous post, and will let you know the outcome.

Highlighted

My update:
A- I added the two commands but the latter couldn't be written as suggested, so I had to edit it accordingly per what the Packet Tracer allows me to do. Therefore, the command was:
nat (inside,outside) static LAN1 where LAN1 is 192.168.1.0/24 as I could not add source static LAN1 LAN1 destination static ISP ISP to the command. I knew that the command was incomplete and thus useless, but that's all I could do, so i referred to solution B.
B- I removed all NAT rules to clear my mind from doubts that the NAT rules might be causing, then I tried pinging from outside-to-inside, but that didn't work either.

Highlighted

Does the ISP/DSL router have a route to the 192.168.1.0/24 via the ASA?

The formatting of the commands above were lost in the initial post, I've amended. The NAT exemption rule is global and not defined under an object.

Run packet-tracer from the CLI and provide the output for review.

Highlighted

Rob, I will apply the rule and will let you know what is the outcome as soon as possible because I am currently unable to resume testing. 

Highlighted

Firstly, the DSL Router has a static route configured pointing to the internal network of the ASA (192.168.1.0/24).

Here's the basic running configuration of the DSL Router:

hostname IR800

!

boot system flash ir800-universalk9-mz.SPA.155-3.M

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool LAN2

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 10.10.10.1

!

ip cef

no ipv6 cef

!

license udi pid IR829GW-LTE-NA-AK9 sn FTX1806A5BV-

license boot module ir800 technology-package datak9 disable

!

spanning-tree mode pvst

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet1

description Connecting ASA0

switchport access vlan 2

!

interface GigabitEthernet2

description Connecting Switch0

switchport mode trunk

!

interface GigabitEthernet3

!

interface GigabitEthernet4

!

interface wlan-ap0

no ip address

!

interface Wlan-GigabitEthernet0

!

interface GigabitEthernet5

no ip address

duplex auto

speed auto

!

interface Cellular0

no ip address

shutdown

!

interface Cellular1

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

mac-address 0010.1112.2801

ip address 10.10.10.1 255.255.255.0

!

ip classless

ip route 192.168.1.0 255.255.255.0 10.10.10.2

!

ip flow-export version 9

!

line con 0

!

line 1 2

!

line 3

!

line 4

transport input all

!

line 8

!

line 1/3 1/6

!

line vty 0 4

login

!

end

Secondly, I edited the configuration on the ASA by adding a class and policy map, so here's the updated running configuration:

hostname ciscoasa
enable password ********************
passwd *****************************
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network LAN1
subnet 192.168.1.0 255.255.255.0
access-list inbound extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network LAN1
nat (inside,outside) dynamic interface
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 192.168.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d56ac64f9c830fa33a0385ba1c08e6a7
: end

Finally, I have run the packet-tracer command from CLI on ASA, and here's the output:

ciscoasa# packet-tracer input outside icmp 10.10.10.1 0 0 192.168.1.3

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN1
nat (inside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The type and code that I used are 0 0 as I'm investigating for the inbound traffic, otherwise I'll use 8 0 for the outbound traffic.

Highlighted

As you can see in the packet-tracer output the packet is being NATTED behind the outside interface.

 

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN1
nat (inside,outside) dynamic interface
Additional Information:

 

I do not see the NAT exemption rule in your configuration, either add it (using the example I previously provided) or temporarily remove the dynamic NAT.

View solution in original post

Highlighted

Yes it is, and I did remove the dynamic NAT considered as the easier choice, but that didn't solve my problem.

Here's a capture of packet-tracer from CLI when pinging is initiated from outside-to-inside and in particular from [ext IP address of ASA = 10.10.10.2] to [int IP address of ASA = 192.168.1.1] using inbound traffic with type and code 8 0:

ciscoasa# packet-tracer input outside icmp 10.10.10.2 8 0 192.168.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here's a capture of packet-tracer from CLI when pinging is initiated from inside-to-outside and in particular from [int IP address of ASA = 192.168.1.1] to [ext IP address of ASA = 10.10.10.2] using outbound traffic with type and code 8 0:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 363, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Highlighted

192.168.1.1 is the inside IP address of your ASA, so I'd expect your test to fail. The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface (outside) to a far interface (inside).

Ping through the ASA to test, not to the ASA.

View solution in original post

Highlighted

But even pinging initiated from outside-to-inside, precisely to a PC on the local LAN (192.168.1.0/24) doesn't succeed. That means, if I am using the router's IP address of 10.10.10.1 to ping the PC's IP address of 192.168.1.5, the output of the ping reply is timed out.

Highlighted

Provide the full output of "packet-tracer input outside icmp 10.10.10.2 8 0 192.168.1.5"
Provide the current ASA configuration and the output of "show nat detail".
Does the device 192.168.1.5 have a local firewall that could be blocking ping response?
Highlighted

Rob, I reloaded both devices, the router and the ASA and guess what? It finally worked!

I am now able to ping any inside device from outside the ASA. Therefore, I would like to thank you for solving my issue, and I will mark the issue as solved! :)

Content for Community-Ad