Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1426
Views
20
Helpful
4
Replies

Can't ping outside from inside via ASA firewall

Go to solution
gilmiles
Level 1
Level 1

‎05-02-2022 09:03 AM

Hi all,

 

I'm still getting to grips with Cisco so please bare with if this is simple or been asked before. I've been searching forums but can't seem to get it working still and it's driving me mad.

 

I'm unable to ping the outside router (Endpoint - Cisco 1841) from the inside router (SME_Edgenode - Cisco 1841) through the firewall (ciscoasa - Cisco ASA 5520). I have enabled ICMP on the global policy but not sure what else I've missed.

 

 

Screenshot 2022-05-02 165532.png

 

Here's the config for ciscoasa and SME_Edgenode.

ciscoasa


ASA Version 9.1(7)16
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.16.1 255.255.240.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 8.8.8.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
management-only
nameif ManageASDM
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 10.0.16.0 255.255.240.0
pager lines 24
logging enable
logging console notifications
logging trap informational
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu ManageASDM 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 8.8.8.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 ManageASDM
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access ManageASDM
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1
webvpn
anyconnect-essentials
cache
disable
username admin password vk.4GrSWKo9Qs.br encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:06d49b23efe42f38c48e4e0c8165492e

 

 

SME_Endpoint

 

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SME_Endpoint
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ip source-route
!
!
!
!
!
ip cef
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn FCZ1453913J
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.16.2 255.255.240.0
speed auto
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip default-gateway 10.0.16.1
ip forward-protocol nd
!
!
no ip http server
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎05-02-2022 09:20 AM

In SME point 

Config defualt route toward asa inside interface.

View solution in original post

Go to solution
paul driver
VIP
VIP

‎05-02-2022 04:21 PM

Hello

Try the following:

ASA
route inside 192.168.10.0 255.255.255.0 10.0.16.2

object network LAN
subnet 192.168.10.0/24
nat(inside,outside) dynamic interface


access-list 100 extended permit icmp any object-network LAN echo-reply
access-group 100 in interface outside

or
access-list ECHO_REPLY extended permit icmp any any

class-map ICMP
match access-list ECHO_REPLY

policy-map global_policy
class ICMP
inspect icmp

 

SME_ENDPOINT
ip route 0.0.0.0 0.0.0.0 fa0/0 10.0.16.1

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-02-2022 09:17 AM

 

Can you ping 8.8.8.8 from the firewall ? 

 

If so on the internal router can you enter "no ip routing" and try again. 

 

Jon

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-02-2022 09:20 AM

In SME point 

Config defualt route toward asa inside interface.

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-02-2022 09:29 AM

 

Actually that's a good point. 

 

Think the issue is your internal router is not using the default gateway because it has routing enabled so I suggested turning off routing but looking at your diagram you are going to need it to route so the suggestion to replace the default gateway with a default route is a better one. 

 

Jon

Go to solution
paul driver
VIP
VIP

‎05-02-2022 04:21 PM

Hello

Try the following:

ASA
route inside 192.168.10.0 255.255.255.0 10.0.16.2

object network LAN
subnet 192.168.10.0/24
nat(inside,outside) dynamic interface


access-list 100 extended permit icmp any object-network LAN echo-reply
access-group 100 in interface outside

or
access-list ECHO_REPLY extended permit icmp any any

class-map ICMP
match access-list ECHO_REPLY

policy-map global_policy
class ICMP
inspect icmp

 

SME_ENDPOINT
ip route 0.0.0.0 0.0.0.0 fa0/0 10.0.16.1

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card