Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2919
Views
5
Helpful
6
Replies

Unable to ping internet and outside interface from my inside network using ASAv

Go to solution
Amiel
Level 1
Level 1

‎07-25-2020 02:30 AM - edited ‎07-25-2020 02:34 AM

I am having a problem pinging the outside interface from my inside network. I have already performed the static routing from which all routes will be able to access the internet, from ASAv I am able to ping the outside network but from my inside network, I was not able to ping and access the web but I am able to ping the inside interface of the ASAv. I am not really sure where the problem is.

ASAv

ciscoasa(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/34/40 ms

Core switch

CoreSwitch#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CoreSwitch#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

CoreSwitch#ping 10.10.200.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
CoreSwitch#

 

I have attached the topology, the running config of the ASAv and the routing table for reference

Preview file
99 KB
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to Amiel

‎07-25-2020 03:16 AM

you must be missing a default route on the core swithcn

please do not forget to rate.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎07-25-2020 02:54 AM

Hi,
You won't be able to ping the ASA's outside interface (10.10.10.10) when you are connected to a device on the inside interface of the ASA. That is by design.

You will need a NAT rule, to NAT traffic sourced from the inside interface destined to the outside interface. Remove your existing NAT rule. Try this:-

no nat (outside,inside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface

HTH
0 Helpful

Go to solution
Amiel
Level 1
Level 1
In response to Rob Ingram

‎07-25-2020 03:00 AM

Thanks for the reply, I tried this one out but unfortunately, I am still not able to ping to the outside network

CoreSwitch#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CoreSwitch#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CoreSwitch#
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Amiel

‎07-25-2020 03:14 AM

As already stated you cannot ping the ASA's outside interface (10.10.10.10) when you are connect to network on the inside interface.

Provide the output of "show nat detail" to confirm whether the NAT rules are being hit.
Run packet-tracer from the CLI and provide the output
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Amiel

‎07-25-2020 03:16 AM

you must be missing a default route on the core swithcn

please do not forget to rate.

Go to solution
Amiel
Level 1
Level 1
In response to Sheraz.Salim

‎07-25-2020 03:16 AM

Thanks for this one Salim!
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎07-25-2020 02:58 AM

In order for core switch to reach google address you need NAT in place.

!

object network INSIDE

 subnet 10.10.200.0 255.255.255.0

 nat (inside,outside) interface dynamic

!

 

now why you trying to ping the outside interface of ASA (10.10.10.10) from the core. the ASA by default will not going to respond this ping.

why dont you ping 10.10.10.x

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card