Unable to Ping inter interface (inside to outside)of ASA 5520

ashish386 · ‎07-27-2011

Hi All,

I am unable to ping inside interface (Rin) to outside interface (Rout) of my Cisco ASA 5520 runing on ASA Version 8.4(1).

Pls help !!!!!!!

ASA Version 8.4(1)

!

hostname FW5520

names

!

interface GigabitEthernet0/0

nameif Rout

security-level 0

ip address 192.168.10.1 255.255.255.252

!

interface GigabitEthernet0/1

nameif Rin

security-level 100

ip address 192.168.1.1 255.255.255.252

!

interface GigabitEthernet0/2

nameif Ain

security-level 100

ip address 192.168.1.5 255.255.255.252

!

interface GigabitEthernet0/3

nameif Aout

security-level 0

ip address 192.168.10.5 255.255.255.252

!

object network LAN_Network

subnet 10.24.0.0 255.255.0.0

description LAN-Networks

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 102 extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Rout 1500

mtu Rin 1500

mtu Ain 1500

mtu Aout 1500

mtu mgmt 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Rout

icmp permit any Rin

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

access-group 101 in interface Rout

access-group 101 out interface Rout

access-group 101 in interface Rin

access-group 101 out interface Rin

access-group 102 global

route Rout 0.0.0.0 0.0.0.0 192.168.10.2 1

route Rin 10.24.0.0 255.255.0.0 192.168.1.2 1

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 5

http server enable

http server idle-timeout 30

management-access mgmt

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

Julio Carvajal · ‎07-27-2011

Hello

Im not sure if I have understood your request but if what you want is to be able to ping a host on the outside from the inside you should have a nat statement for the host on the inside to the outside interface. And remember that by default the ASA does not allow you to ping or connect to a distant interface , but the fact that you can't is no need to worry.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ashish386 · ‎07-30-2011

Hi,

Firstly thanks for the reply.

Basically i want to ping my inside (Rin) interface to outside (Rout) interface and not the host connected. Firewall's inside interface is connected to L3 Core Switch and outside interface is connected to Router. I want my traffic coming from Core switch to firewall to forward to Router at other end.

But iam unable to ping from Core switch to Router.

Thanks !

Ashish

Azhar Munawar · ‎07-30-2011

Hi Asish,

Did you allow perticular IP to ping destination?also you have to define ICMP from outside to inside because ICMP use echo reply which has to allow from outside to inside if inside IP is natted then you have to allow that natted ip as destination from out to in.

here is example incase of no nat is use or ACL is apply on inside if no acl applied on inside then dont need to use inside ACL.

let say your inside IP is 10.10.10.10 and outside is 20.0.0.1

access-list Inside ext permit icmp host 10.10.10.10 host 20.0.0.1

access-group inside in int inside

access-list outside ext permit icmp host 20.0.0.1 host 10.10.10.10

access-group inside in int outside

==========================

If your are using nat statment and nat control is on then you have to follow this example.

Again if ur not using any ACL in inside then dont need to use inside ACL.

let say your inside IP is 10.10.10.10 and outside is 20.0.0.1 and inside ip is natted on 20.0.0.2 IP

access-list Inside ext permit icmp host 10.10.10.10 host 20.0.0.1

access-group inside in int inside

access-list outside ext permit icmp host 20.0.0.1 host 20.0.0.2

access-group inside in int outside

========================

Hope this will help you if its still not working then add ICMP in inspection rules.

if you need more details let me know.

Regards,

Azhar

clooney · ‎07-30-2011

If I understand the question correctly you could also accomplish this by turning on ICMP inspects. Of course this assumes some sort of nat also.

access-list ICMP extended permit icmp any any

class-map ICMP-CMAP

match access-list ICMP

!

policy-map global_policy

class ICMP-CMAP

inspect icmp

!

Azhar Munawar · ‎07-30-2011

another which I noticed you applied same ACL on both interfaces in both direction do one thing to make configuration simple remove acl from interfaces and creat new acl and only apply in one direction to find out the issue.

you can also check the logging on asdm to see which acl is blocking your ping.

Regards,

Azhar

ashish386 · ‎07-31-2011

@ Azhar,

In ASDM it shows global impicit ACL denies it.

I want to ping appliance's outside interface from its inside interface.

@ Clooney,

I have inspect ICMP in global policy.

policy-map global_policy

class inspection_default

inspect ICMP

Still will try this and let u know.

Thanks !

Ashish

Azhar Munawar · ‎07-31-2011

Dear Ashish,

Your defined ACL is very complex can you do one thing remove these ACL from access-group (not access-list)

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-group 101 in interface Rout

access-group 101 out interface Rout

access-group 101 in interface Rin

access-group 101 out interface Rin

================================

And create new ACL and which define below:

first remove these

no access-group 101 in interface Rout

no access-group 101 out interface Rout

no access-group 101 in interface Rin

no access-group 101 out interface Rin

Then creat these ACL and apply on interfaces.

access-list Inside ext permit icmp any any

access-list Outside ext permit icmp any any

access-group Inside in interface Rin

access-group Outside in interface Rout

It will resolve your problem.,

Regards,

Azhar

Milap Parekh · ‎08-04-2011

Hi Azhar,

I am Ashish's collegue we tried by doing this,but still Rin and Rout not pingable..

Regards,

Milap Parekh

Azhar Munawar · ‎08-06-2011

Dear Milap,

You have ASDM installed on your workstation you can check logging on it which ACL is blocking this.

Can we do remote session which help us to find problem in better way.

Regards,

Azhar

Jacob Samuel · ‎08-06-2011

am not expert.... but a chance....

use extended pinging with appropriate source address.

while pinging outside - ping usig the source address / interface as the inside (Rin)

while pinging inside - ping using the source address / interface as the outside (Rout)

You have multiple interfcace with same security level (0 and 100).

regards

Sunny