Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
4
Replies

Pinging Internet from ASAv Inside Interface

Go to solution
natasav
Level 1
Level 1

‎10-19-2022 01:19 AM

Please, can you anyone the reason why I can ping a site on the internet from the outside interface.
I have an Elastic IP on the outside interface, and the default route sends traffic to the gateway on the outside interface subnet

interface TenGigabitEthernet0/0
nameif outside
security-level 0
ip address 10.177.1.5 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.177.1.1


I can ping the internet successfully from ASAv, but when I do the same ping from a host in the inside interface, we do not see echo-reply
The two scenarios are shown below.


1. Pinging 8.8.8.8 from the outside interface

ciscoasa# ping outside 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

 

2. Pinging 8.8.8.8 from a host in the inside interface
Below shows the output of "debug icmp trace"

ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=1 len=56
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=2 len=56
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=3 len=56


Thanks

Nat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
natasav
Level 1
Level 1
In response to Elliot Dierksen

‎10-21-2022 03:47 AM

I am actually pinging from a host behind the inside interface (10.177.8.11)

I am able to get the echo reply when I changed the mapped from the Elastic IP to "interface"

nat (inside,outside) source dynamic InsideIpHosts interface

Thanks for the hints you gave. They were very helpful

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Elliot Dierksen
VIP
VIP

‎10-19-2022 06:11 AM - edited ‎10-19-2022 06:11 AM

The ASA isn't applying NAT to its own traffic, so that is an invalid IP going out to the internet. An IOS/IOS-XE device will respond on a ping to any interface if it isn't blocked by an ACL. My experience with the ASA platform is that it only responds to pings to the nearest interface.

0 Helpful

Go to solution
natasav
Level 1
Level 1
In response to Elliot Dierksen

‎10-19-2022 07:01 PM

Thanks Elliot,

I have applied a NAT on the private IP to the Elastic IP on the outside interface and allowed ICMP on the outside interface, but the issue still persists.

access-list outside_in extended permit icmp any any

access-group outside_in in interface outside

Below is the output from "debug icmp trace"

ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=14 seq=675 len=56
ICMP echo request translating inside:10.177.8.11 to outside:44.210.165.227
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=14 seq=676 len=56
ICMP echo request translating inside:10.177.8.11 to outside:44.210.165.227

0 Helpful

Go to solution
Elliot Dierksen
VIP
VIP

‎10-20-2022 02:15 PM

You could have a host ping through the ASA and that could work. I don't think it will ever NAT its own traffic.

0 Helpful

Go to solution
natasav
Level 1
Level 1
In response to Elliot Dierksen

‎10-21-2022 03:47 AM

I am actually pinging from a host behind the inside interface (10.177.8.11)

I am able to get the echo reply when I changed the mapped from the Elastic IP to "interface"

nat (inside,outside) source dynamic InsideIpHosts interface

Thanks for the hints you gave. They were very helpful

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card