Solved: Unable to ping internet site with inside interface.

mahesh18 · ‎09-28-2012

Hi all,

Is it possible to ping internet sites using the source as inside interface of ASA?

i am trying to ping internet sites using source as inside interface but no luck.

Does ASA allow ping using inside ip ?

Thanks

mahesh

Jennifer Halim · ‎09-30-2012

Here we go:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

exit

service-policy global_policy global

View solution in original post

Jennifer Halim · ‎09-28-2012

no, unfortunately you can't ping from the ASA inside interface towards the internet. You can't cross ping through another interface and also the ASA interfaces do not get NATed.

You can ping the internet site only via the outside interface if the internet is connected via the outside interface.

mahesh18 · ‎09-28-2012

Hi Jennifer,

Thanks for reply.

So when you say

You can't cross ping through another interface.

Does this mean that if i have i have PC under the inside interface and if i want to ping from PC to internet as internet

is connected to outside interface it will not work ----as inside interface has to cross the outside interface?

second thing also the ASA interfaces do not get NATed

Can you please explain this in more detail?

Regards

mahesh

Jennifer Halim · ‎09-29-2012

Hi Mahesh,

Can't ping cross interface means, if you have a PC on the inside interface, you can only ping the ASA inside interface and you can't ping the outside interface. You can only ping the interface of the ASA where the traffic is coming from.

But you can ping from inside host to an outside host on the internet. Only can't ping the ASA cross interface.

When you configure NAT, the ASA interface for example the inside interface of the ASA doesn't get NATed. Host behind the ASA connected through the inside interface will get NATed if you have NAT rule going towards the outside, but the ASA inside interface itself doesn't get NATed.

Hope that answers your question.

mahesh18 · ‎09-29-2012

Hi Jennifer,

Thanks for reply.

When you say that --

But you can ping from inside host to an outside host on the internet. Only can't ping the ASA cross

interface

Does this mean the following

i tried to ping from my pc to any host IP in internet ping does not work.

Should this ping work or not by default?

Regards

MAhesh

Jennifer Halim · ‎09-29-2012

Yes, ping should work from inside host to host on the internet.

Assuming that you have "inspect icmp" configured on the ASA, and also have NAT translation.

mahesh18 · ‎09-30-2012

Hi Jennifer,

NAT is configured how can i check if inspect icmp is configured or not?

I am putting config here

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password .vV.3QsyXqiTEfZu encrypted

passwd PnBz02JMnfQN7Ggt encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.11.5 255.255.255.0

!

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

object-group network obj-192.168.1.0

no pager

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 15

dhcpd dns 64.59.135.145

!

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.103.24.10

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8f25c732335fdff1cbcebb04e14b2159

: end

Seems i have no inspect icmp in the config.

how can i configure it?

Thanks

MAhesh

Jennifer Halim · ‎09-30-2012

Here we go:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

exit

service-policy global_policy global

mahesh18 · ‎09-30-2012

Hi Jennifer,

IT worked.

Thanks a lot for help all the way

regards

mahesh