cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
10
Helpful
11
Replies

Routing failed to locate next hop for ICMP Firewall

benolyndav
Level 4
Level 4

Please see attached document cant ping through firewall in DMZ with two ASA's

 

Thanks

11 Replies 11

Hi,
Ping/ICMP is blocked on ASA by default. Try this:-

ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp
or

ASA(config)# fixup protocol icmp

HTH

Hi

Already added to both Firewalls, any more ideas.??

 

Thanks

Without seeing your configuration of all devices it's a bit hard. You said you cannot ping beyond .2 - do the devices beyond .2 have a route back to the source network you were pinging from? Are you natting anywhere?

Hi

No nat, I can ping from the outside interface of the inside firewall =.2 to the internet facing firewall inside interface =.1 these are on same subnet connected to 3850, but i cannot ping from inside firewall beyond .2 of internet firewall, and i cannot ping from internet facing firewall .2 through to public address on outside interface of internet facing firewall, i have a default route poing outside interface any any, when i try putting a route on inside firewall pointing to .2 it says its a connected interface. what routes are needed and where please.?? could it be because the firewalls have an interface in same subnet.??

 

Thanks

Can you provide the full configuration of the firewalls and switches, indicating which firewall and switch relates to what in the diagram? Thanks

Hi

I cant provide config yet but have done another doc see attachment.

 

 

Thanks

Ok, if you are pinging the internet from 172.20.57.2 and it fails, it would if you don't have nat configured. You'd need to nat traffic on the inside of the firewall behind the outside interface.

Hi Thanks for that, 

so nat inside traffic to outside interface, any thoughts on traffic coming from inside firewall 172.20.57.1 to internet because that also fails.??

 

Thanks

You would nat all networks (all networks that need to route through the internet firewall to access the internet) behind the internet firewall's outside interface, that would enable internet access.

You need to ensure that the internet firewall has routes to the other networks and the inside firewall has a default route to the internet firewall. e.g route outside 0 0 172.20.57.2

HTH

Hi

Its not letting me add this  route outside 0 0 172.20.57.2  it says its a connected network.??

Well the next hop IP address needs to be connected, I don't see why you'd get this error. Can you provide the full configuration and a screenshot of the exact error when you add this to the inside firewall.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: