cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
0
Helpful
1
Replies

ASA 8.4 Cant ping external hosts from inside

the-lebowski
Level 4
Level 4

DNS resolution works and I can surf the web without fail.  But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts.  I can ping anything from the ASA without fail.   Can someone help me out? 

ASA Version 8.4(1)

!

hostname fw1-nat-ann

domain-name inmd.infoblox.com

enable password anWLNen9CTFp7B/X encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

speed 10

duplex full

nameif outside

security-level 0

ip address 38.104.12.98 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.23.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.23.18.198 255.255.255.0

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EST recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.23.16.21

.....

object network obj_any

subnet 0.0.0.0 0.0.0.0

host 172.23.16.19

description INMD DC/RADIUS 

object network INMD_ClientVPN

subnet 172.23.2.0 255.255.255.0

object network ............

host 172.23.18.20

description INMD DC/RADIUS 

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

...........

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list outside_cryptomap extended permit ip object Annapolis object SantaClara_HQ

access-list IPv4_VPN_HQGrpPolicy extended permit ip any any

access-list outside_cryptomap_2 extended permit ip object Annapolis object SSpeer_home

..........

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

........

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-642.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static Annapolis Annapolis destination static INMD_ClientVPN INMD_ClientVPN

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 38.104.12.97 1

route inside 10.120.0.0 255.255.0.0 172.23.1.2 1

route inside 172.23.0.0 255.255.0.0 172.23.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 172.23.16.19

timeout 5

key *****

aaa authentication ssh console LOCAL

http server enable

http 172.23.18.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

..........

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set pfs

............

crypto map outside_map 3 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

.........

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 10

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

anyconnect enable

tunnel-group-list enable

........

wins-server none

dns-server value 172.23.16.21 172.23.18.23

......

.......

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:bf287150b0604fdb0e77da531f04fc2b

: end

1 Reply 1

manish arora
Level 6
Level 6

Try :-

asa(config)# fixup protocol icmp

Manish