cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2529
Views
0
Helpful
13
Replies

Workstation cannot ping the router on outside interface of firewall.

I have 2 Cisco ASA working in active/standby mode. the active is sitting behind a cisco 3900 router.

IP for the cisco 3900 router is 192.168.1.2

I can successfully ping this ip address from the firewall.

Now when i connect a machine on the inside interface of the firewall, i can ping the firewall which is its gateway with no issues. but i cannot ping the router from the machine. i have the below nat settings too.

Nat (inside) 1 0 0

Global (outside) 1 interface

still i cannot ping the router from the machine which is on the inside of the firewall. the router is on the outside of the friewall.

any suggestions???

Thanks,

Pratik

1 Accepted Solution

Accepted Solutions

Hello Pratik.

Please do the following.

-fixup protocol ICMP.

That should do it.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

13 Replies 13

mvsheik123
Level 7
Level 7

Hi Pratik,

You need to allow icmp 'echo-reply'  to inside on ASA outside interface ACL.

hth

MS

so my acl would be

access-list outside_access_in any any eq echo-reply

access-group outside_access_in in interface outside

am i right?

It should work. Let us know if you still have any issues.

Thx

MS

It didnt work. Below is my config.

ASA Version 8.2(1)

!

hostname BDS-FA-FW

enable password Fk/FKoeyrw2FML8Z encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.7.1 255.255.255.0 standby 192.168.7.2

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 204.138.112.2 255.255.255.0 standby 204.138.112.4

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2

management-only

!

ftp mode passive

access-list outside_access_in extended permit tcp any any eq echo

pager lines 24

logging asdm informational

mtu outside 1500

mtu management 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface bds-failover GigabitEthernet0/2

failover key *****

failover link bds-failover GigabitEthernet0/2

failover interface ip bds-failover 10.10.1.1 255.255.255.0 standby 10.10.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 204.138.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4ea9a80395ba6903666c9eff68fcfbb3

Hello Pratik.

Please do the following.

-fixup protocol ICMP.

That should do it.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

it didnt work. i still get a timeout.i can ping 204.138.112.1 from the firewall. but cannot from the workstation.

my workstation settings are as below.

IP: 192.168.7.10

Subnet: 255.255.255.0

Default Gateway: 192.168.7.1

DNS: 4.2.2.2

I can ping 192.168.7.1. But cannot further.

Looks like its something to do with destination IP address any acl on that ? Also meanwhile if you can ping any external IP on internet to see if icmp is passing your firewall ? Ping 4.2.2.2

Ajay,

i cannot ping 4.2.2.2

there is no access list on destination IP 204.138.112.1. It is a cisco 3900 router. I can ping the router with no issues from the firewall. but cannot ping from the workstation which is on the inside of the firewall.

Hello Pratik,

Please do the following capture and provide us the capture after you try to ping again:

access-list capin  permit icmp host 192.168.7.10 host 204.138.112.1

access-list capin  permit icmp host 204.138.112.1 host 192.168.7.10

access-list capout permit icmp host 204.138.112.2 host 204.138.112.1

access-list capout permit icmp host 204.138.112.1 host 204.138.112.2

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Please try to ping and provide the following output:

-sh cap capin

-sh cap capout

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I guess fixup command worked. I can now ping 204.138.112.1 from the workstation.

So I am good on that part. now my other issue is i cannot ping from 4.2.2.2 from this router which is a cisco 3900. can you help in that?

Thanks,

Pratik

Hello Pratik,

Good to hear that the stateful inspection for the protocol ICMP worked.

Sure, we can help but we will need to see the configuration of the router.

-Do you have any firewall feature configured on the router (CBAC,ZBFW)?

-What is default gateway of your router? Can you ping the default gateway?

-Can you let us know the nat statements you have configured on the router?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I figured what I was missing from the questions you asked. I was missing a default route on the router. I put that and everything works now.

Thanks a lot for your help!

Pratik

Hello,

Great to hear that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card