Re: Packet Tracer- Cisco 5506 ASA Firewall- not able to ping (ICMP)

Lukas22 · ‎12-24-2022

Hi there

I built a network in packet tracer with two computers, one router and one firewall.

But unfortunately, I am not able to ping from the first computer to the second computer.

Between the first computer and the firewall, there is a "192.168.3.0/24" network
Between the firewall and the router, there is a "209.165.200.224/30" network
and between the router and the second computer, there is a "209.165.201.0/24" network

I assigned both PCs a static IP-address:
The first PC has the following static ip-address: "192.168.3.3"
and the second PC has the following static ip-address: "209.165.201.254"

I defined a router on the firewall with the following command:

route outside 0.0.0.0 0.0.0.0 209.165.200.225

And I also defined a NAT on the firewall with the following commands:

object network INSIDE

subnet 192.168.3.0 255.255.255.0

nat (inside,outside) dynamic interface

And I also created a rule on the firewall to let ICMP get through.

class-map inspection_default

match default-inspection-traffic

exit

policy-map global_policy

class inspection_default

inspect icmp

exit

service-policy global_policy global

The out of the "show run" command of the firewall looks as followed:

: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif inside
 security-level 100
 ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet1/2
 nameif outside
 security-level 0
 ip address 209.165.200.226 255.255.255.252
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/4
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/5
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/6
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/7
 no nameif
 no security-level
 no ip address
 shutdown
!
interface GigabitEthernet1/8
 no nameif
 no security-level
 no ip address
 shutdown
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
 shutdown
!
object network INSIDE
 subnet 192.168.3.0 255.255.255.0
 nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp 
  inspect tftp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!

And the "show-run" command on the router looks as followed:

Building configuration...

Current configuration : 723 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524CEV3-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 209.165.200.225 255.255.255.252
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 209.165.201.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Thank you very much in advance

ammahend · ‎12-24-2022

can you share the file

-hope this helps-

Lukas22 · ‎12-24-2022

Here you go: https://we.tl/t-2XwUMTmTca

MHM Cisco World · ‎12-24-2022

ISSUE is PKT limit you need these steps to make icmp work
1- no policy-map global_policy
2-no service-policy global_policy global
3-
policy-map global_policy

class inspection_default

inspect http <<- add this

inspect icmp <<- add this

4-service-policy global_policy global

Lukas22 · ‎12-26-2022

Hi there

Thank you very much for your help and assistance.

Unfortunately, I am still not able to send a ping from PC1 to PC2.
I tried to adjust the global policy, as you suggested, but unfortunately that didn't help.

I suspect that there is a problem with the startup configuration. When I applied the current configuration and then used the "sh run"-command to display the current configuration, it showed me (under global_policy) that "http" and "icmp" are inspected.

But when I restarted Packet tracer and ran the command "sh run" again, it showed me that "http" and "icmp" are no longer inspected.

I attached a few screenshot.

Thank you very much!

MHM Cisco World · ‎12-26-2022

this limit I see before for PKT, even if we wr the running config not copy to startup.
so make steps I MENTION before and do test without boot.

Lukas22 · ‎12-27-2022

Hi there

Thank you very much for your answer. I made your steps, exactly as you mentioned and I did the test before the reboot, but unfortunately, it still doesn't work.

If you wish, I can also share you the Packet tracer file, then you are maybe able to investigate.

Thank you very much and have a nice day!

Georg Pauwen · ‎12-24-2022

Hello,

since I have been working on your file in Packet Tracer, I might as well post the functioning revision.

Lukas22 · ‎12-26-2022

Hi there

Thank you very much for your help!

Can you tell me what you adjusted in my pkt-file?
Unfortunately, I am not able to find any adjustments.

I suspect that there is a problem with the startup configuration. When I applied the current configuration and then used the "sh run"-command to display the current configuration, it showed me (under global_policy) that "http" and "icmp" are inspected.

But when I restarted Packet tracer and ran the command "sh run" again, it showed me that "http" and "icmp" are no longer inspected.

I attached a few screenshot.

Thank you very much in advance.