cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6049
Views
0
Helpful
8
Replies
mahesh18
Frequent Contributor

Unable to ping internet site with inside interface.

Hi all,

Is it possible to ping internet sites using the source as  inside interface of ASA?

i am trying to ping internet sites using source as inside interface but no luck.

Does ASA allow ping using inside ip ?

Thanks

mahesh

1 ACCEPTED SOLUTION

Accepted Solutions

Here we go:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

exit

service-policy global_policy global

View solution in original post

8 REPLIES 8
Jennifer Halim
Cisco Employee

no, unfortunately you can't ping from the ASA inside interface towards the internet. You can't cross ping through another interface and also the ASA interfaces do not get NATed.

You can ping the internet site only via the outside interface if the internet is connected via the outside interface.

Hi Jennifer,

Thanks for reply.

So when you say 

You can't cross ping through another interface.

Does this mean that if i have i have PC under the inside interface and if i want to ping from PC to internet as internet

is connected to outside interface it will not work ----as inside interface has to cross the outside interface?

second thing  also the ASA interfaces do not get NATed

Can you please explain this in more detail?

Regards

mahesh

Hi Mahesh,

Can't ping cross interface means, if you have a PC on the inside interface, you can only ping the ASA inside interface and you can't ping the outside interface. You can only ping the interface of the ASA where the traffic is coming from.

But you can ping from inside host to an outside host on the internet. Only can't ping the ASA cross interface.

When you configure NAT, the ASA interface for example the inside interface of the ASA doesn't get NATed. Host behind the ASA connected through the inside interface will get NATed if you have NAT rule going towards the outside, but the ASA inside interface itself doesn't get NATed.

Hope that answers your question.

Hi Jennifer,

Thanks for reply.

When you say that --

But you can ping from inside host to an outside host on the internet. Only can't ping the ASA cross

interface

Does this mean the following

i tried to ping from my pc to any host IP  in internet ping does not work.

Should this ping work or not by default?

Regards

MAhesh

Yes, ping should work from inside host to host on the internet.

Assuming that you have "inspect icmp" configured on the ASA, and also have NAT translation.

Hi Jennifer,

NAT is configured how can i check if inspect icmp is configured or not?

I am putting config here

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password .vV.3QsyXqiTEfZu encrypted

passwd PnBz02JMnfQN7Ggt encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.11.5 255.255.255.0

!

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

object-group network obj-192.168.1.0

no pager

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 15

dhcpd dns 64.59.135.145

!

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.103.24.10

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

!

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8f25c732335fdff1cbcebb04e14b2159

: end

Seems i have no inspect icmp in the config.

how can i configure it?

Thanks

MAhesh

Here we go:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

exit

service-policy global_policy global

View solution in original post

Hi Jennifer,

IT worked.

Thanks a  lot for help all the way

regards

mahesh

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad