thanks Vibhor,

I have a static one to one Nat applied,no port forwarding is done.

Kindly let me know how to allow icmp inspect for a particular interface.

Thanks

Hi,

You just need to run this command:- fixup protocol icmp

This is a global feature and will be enabled for the complete device.

Also , run a packet trace to find out what policies are being hit on the ASA device for this traffic ?

Refer:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

i have a ubunto server which i am not able to update or upgrade as its not able to access the internet...

not sure where the problem is....i ran the packet tracer it shows the implicit configured rule is the problem for the configured dmz and when i checked that rule its there by default as iam unable to edit or delete it.

How are you trying to access the internet from the server ie. what port are you testing on ?

Can you post the ASA configuration.

Jon

I have a Ubuntu Server which is connected to the dmz port of the ASA and from there i try to ping google dns which iam not,also iam not able to update and upgrade my server.

object network water_private

 nat (dmz5,Jeraisy) static waterlevel_public

access-group Jeraisy_access in interface Jeraisy

access-list Jeraisy_access extended permit object-group DM_INLINE_SERVICE_6 any4 object water_private

route Jeraisy 0.0.0.0 0.0.0.0 83.101.xx.xx 2

Hi,

I see that you mentioned the packet tracer drops this traffic ? Can you post the trace output ?

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

I tried with the fixup protocol icmp but didn't worked.

kindly find the attached packet tracer from my outside interface to google dns..

I thought "Jeraisy" was your outside interface but that's not what your packet tracer is saying.

Can you just post the configuration of the firewall.

Jon

Hi Jon,

yes Jeraisy is our another outside interface facing another ISP.

plz find attached config

Can you post "sh route"

Jon

Hi,

I agree with Jon on this issue that because you have two ISP and the one which is secondary , would never be used for routing the traffic outbound to the internet.

There is a Workaround that can be used but that should only be used cautiously:-

If you are okay to route all the outbound traffic for a specific destination port out through the ISP 2 (Jeraisy ) For ex:-

If you want all the outbound traffic destined to port 80 to go out through this interface , you can create a statement like this:-

static (Jeraisy ,DMZ5) tcp 0.0.0.0 80 0.0.0.0 80

You can refer to these articles for all the possible options in this scenario:-

https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options

https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa

Thanks and Regards,

Vibhor Amrodia

thanks Vibhor,

Do i need to add router also in my topology?

A router in front of your firewall would allow you to connect both ISPs to the router and only have one outside interface on the ASA.

Then you can use PBR on the router to direct traffic via whichever ISP you wanted based on the source IP address of the device i.e you would translate your server to a specific IP and then send it down the Jeraisy link.

PBR can also distinguish with ports as well which gives you more flexibility.

That said I believe there is a release of code for the ASA due soon that will support PBR and that would also solve your issue.

Perhaps Vibhor could provide some more details on that.

Jon