02-25-2011 12:40 PM - edited 03-11-2019 12:56 PM
I have a normal setup of ASA5505 (without security license) connected behind an internet router.
From the ASA5505 console I can ping the Internet.
However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem.
In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below. Please advise regarding the potential problem:
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
!
interface Ethernet0/1
description Connected To Internal Core Switch 192.168.1.20
switchport access vlan 20
!
interface Vlan10
description Connected To Internet Router
nameif outside
security-level 0
ip address 195.228.185.82 255.255.255.248
!
interface Vlan20
description Connected To Internal Core Switch 192.168.1.20
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
access-list Internet-ACL extended permit ip 192.168.1.0 255.255.255.0 any
access-list Internet- ACL extended permit ip 192.168.2.0 255.255.255.0 any
access-list Internet- ACL extended permit ip 192.168.3.0 255.255.255.0 any
access-list Internet- ACL extended permit ip 192.168.4.0 255.255.255.0 any
access-list Internet- ACL extended permit ip 192.168.5.0 255.255.255.0 any
route outside 0.0.0.0 0.0.0.0 195.228.185.85 1
route inside 192.168.2.0 255.255.255.0 192.168.1.20 1
route inside 192.168.3.0 255.255.255.0 192.168.1.20 1
route inside 192.168.4.0 255.255.255.0 192.168.1.20 1
route inside 192.168.5.0 255.255.255.0 192.168.1.20 1
global (outside) 1 interface
nat (inside) 1 access-list Internet- ACL
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
02-25-2011 01:24 PM
Hi,
It is normal that you cannot PING the internet since this will not work by default from behind the firewall.
You need to add inspect icmp to the global_default_policy
Now, the internal users should be able to get to the Internet, check that the translations and connections are being built sh xlate and sh conn
Hope it helps.
Federico.
02-25-2011 01:26 PM
Hi,
By default there is no icmp inspection on the ASA which means that return packets to ICMP
issued from high security level towards low security level are not allowed.
So you must enable ICMP inspection or put an ACL on outside interface inbound permitting icmp echo-replies.
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059758
To verify where the ASA is stuck when forwarding traffic you can use packet-tracer:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Regards.
Alain.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: