10-19-2022 01:19 AM
Please, can you anyone the reason why I can ping a site on the internet from the outside interface.
I have an Elastic IP on the outside interface, and the default route sends traffic to the gateway on the outside interface subnet
interface TenGigabitEthernet0/0
nameif outside
security-level 0
ip address 10.177.1.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.177.1.1
I can ping the internet successfully from ASAv, but when I do the same ping from a host in the inside interface, we do not see echo-reply
The two scenarios are shown below.
1. Pinging 8.8.8.8 from the outside interface
ciscoasa# ping outside 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
2. Pinging 8.8.8.8 from a host in the inside interface
Below shows the output of "debug icmp trace"
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=1 len=56
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=2 len=56
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=11 seq=3 len=56
Thanks
Nat
Solved! Go to Solution.
10-21-2022 03:47 AM
I am actually pinging from a host behind the inside interface (10.177.8.11)
I am able to get the echo reply when I changed the mapped from the Elastic IP to "interface"
nat (inside,outside) source dynamic InsideIpHosts interface
Thanks for the hints you gave. They were very helpful
10-19-2022 06:11 AM - edited 10-19-2022 06:11 AM
The ASA isn't applying NAT to its own traffic, so that is an invalid IP going out to the internet. An IOS/IOS-XE device will respond on a ping to any interface if it isn't blocked by an ACL. My experience with the ASA platform is that it only responds to pings to the nearest interface.
10-19-2022 07:01 PM
Thanks Elliot,
I have applied a NAT on the private IP to the Elastic IP on the outside interface and allowed ICMP on the outside interface, but the issue still persists.
access-list outside_in extended permit icmp any any
access-group outside_in in interface outside
Below is the output from "debug icmp trace"
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=14 seq=675 len=56
ICMP echo request translating inside:10.177.8.11 to outside:44.210.165.227
ICMP echo request from inside:10.177.8.11 to outside:8.8.8.8 ID=14 seq=676 len=56
ICMP echo request translating inside:10.177.8.11 to outside:44.210.165.227
10-20-2022 02:15 PM
You could have a host ping through the ASA and that could work. I don't think it will ever NAT its own traffic.
10-21-2022 03:47 AM
I am actually pinging from a host behind the inside interface (10.177.8.11)
I am able to get the echo reply when I changed the mapped from the Elastic IP to "interface"
nat (inside,outside) source dynamic InsideIpHosts interface
Thanks for the hints you gave. They were very helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide