Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2262
Views
5
Helpful
13
Replies

cannot ping internet through firewall

shannondhamilton
Level 1
Level 1

‎02-15-2018 12:03 AM - edited ‎03-08-2019 01:51 PM

My Config is: 

 

ISP Router -> Cisco ASA5510 -> Cisco 2951 

 

ISP Router = 192.168.200.1

Cisco ASA5510 0/0 = DHCP (outside)

Cisco ASA5510 0/1 = 10.0.0.1 (inside) - connected to Cisco 2851 0/0

Cisco 2851 0/0 - 10.0.0.2 no nat configured

Cisco 2851 0/1 not configured. 

 

When logged into Cisco 2951 router via console cable, I am unable to ping 4.2.2.2

- Successful ping to 

When logged into Cisco ASA5510 I successfully ping 4.2.2.2

 

Seems that traffic from router is passing through firewall to ISP modem. I don't have ASDM configured. 

How can I confirm this is the issue? The 'security-level" for inside on firewall is set to 100 (default). 

 

When I set the following command: route OUTSIDE 0.0.0.0 0.0.0.0 192.168.200.1 1 I was able to ping outside. Do I need to set a similar command for the inside traffic? 

 

Labels:
0 Helpful
13 Replies 13

Seb Rupik
VIP Alumni
VIP Alumni

‎02-15-2018 12:14 AM

Hi there,

You don't mention it, but do you have NAT configured on the ASA to translate the 10.0.0.0/8 INSIDE subnets to the ISP subnet (192.168.200.0 /24)?

 

If not, the ISP router will not know how to return traffic sourced from 10.0.0.0/8 .

....unless of course you can configure static routing on the ISP router?

 

cheers,

Seb.

shannondhamilton
Level 1
Level 1
In response to Seb Rupik

‎02-15-2018 12:18 AM

No, I don’t think I have that setup.



So in addition to the NAT setup for inside/outside, it is also required to set up NAT for each network that needs to get to the outside network?


0 Helpful

shannondhamilton
Level 1
Level 1
In response to Seb Rupik

‎02-15-2018 09:18 PM

I don't believe I have NAT configured to translate the 10.0.0.0 subnets to the ISP network. Is this done on the interface? Can you provide an example?

 

0 Helpful

shannondhamilton
Level 1
Level 1
In response to Seb Rupik

‎02-15-2018 09:21 PM

on the firewall config, I did input the following: 

Ciscoasa(config)# Route outside 0.0.0.0 0.0.0.0 192.168.200.1

 

Please correct me if I am mis-understood, but this sets the static route, but does not configure the NAT, correct?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to shannondhamilton

‎02-16-2018 12:14 AM

Hi there,

Try adding the following config to the ASA:

!
int gi0/0
  nameif OUTSIDE
int gi0/1
  nameif INSIDE
!
object network INSIDE-SUBMET
  subnet 10.0.0.0 255.0.0.0
  nat (INSIDE,OUTSIDE) dynamic interface
!

This will NAT the the entire 10.0.0.0/8 subnet behind the ASA OUTSIDE interface .

Let us know how you get on.

 

cheers,

Seb.

0 Helpful

shannondhamilton
Level 1
Level 1
In response to Seb Rupik

‎02-16-2018 11:40 PM

Seb,

 

I have performed the commands as you suggested. My network is on a /24 subnet so I modified accordingly. Still not able to ping from router through firewall to 4.2.2.2. 

Just to be clear on my config: 

ISP MODEM=192.168.200.1

ASA getting 192.168.200.169 from ISP (DHCP) - Port 0/0

Static IP 10.0.0.1 configured on port 0/1 ASA - connected to port 0/0 on cisco router. 

Static IP 10.0.0.2 configured on port 0/0 on Cisco Router

Static IP 10.10.0.1 configured on port 0/1 on Cisco router. This will connect to a switch in future. 

 

Below I have copied the firewall and router config: 

 

FIREWALL CONFIG: 
hostname ciscoasa
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address dhcp
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif ManageASDM
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
object network obj_10.0.0.x
host 10.0.0.2
object network INSIDE-SUBNET
subnet 10.0.0.0 255.255.255.0
access-list AL-10.0.0.2-to-ISP extended permit tcp any host 192.168.200.1
pager lines 24
logging asdm informational
mtu ManageASDM 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network obj_10.0.0.x
nat (INSIDE,OUTSIDE) static 192.168.200.1
object network INSIDE-SUBNET
nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.200.1 1
route INSIDE 10.10.0.0 255.255.255.0 192.168.200.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 ManageASDM
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3d0998927addaf8f8e73b7816be4cdc4
: end
ciscoasa(config-network-object)#

 

 

 

ROUTER CONFIG:

Router#show run
Building configuration...
Current configuration : 944 bytes
!
! Last configuration change at 05:22:04 UTC Fri Feb 16 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2851 sn xxxxxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.0.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router#

0 Helpful

Georg Pauwen
VIP
VIP
In response to shannondhamilton

‎02-17-2018 12:13 AM

Hello,

 

is this the full configuration ? At the very least, you need to add icmp inspect to your global policy:

 

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

0 Helpful

shannondhamilton
Level 1
Level 1
In response to Georg Pauwen

‎02-17-2018 12:33 AM

ciscoasa(config)# class inspection_default
ciscoasa(config-cmap)# inspect icmp
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-cmap)#

 

Im running v8.4.  Hmmm Any ideas? Im turning to google on this one...

0 Helpful

thahir313
Level 1
Level 1
In response to shannondhamilton

‎07-29-2020 02:35 AM

same here. any update on this?
0 Helpful

Georg Pauwen
VIP
VIP

‎02-15-2018 01:00 AM

Hello,

 

in addition to Sep's posts, you would only need the 'route inside' if you actually had something configured on the LAN side of your router, which you don't seem to have. So essentially your ping is sourced from 10.0.0.2.

 

Do you have icmp inspect configured ? Best to post the full config of your ASA...

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎02-17-2018 12:38 AM

Hello,

 

see if you get the below to work:

 

class-map CLASS_ICMP
 match default-inspection-traffic

 

policy-map POLICY_ICMP
 class CLASS_ICMP
  inspect icmp

 

service-policy POLICY_ICMP interface outside

0 Helpful

shannondhamilton
Level 1
Level 1
In response to Georg Pauwen

‎02-17-2018 12:47 AM

Ok, the suggested commands ran on the FW without error. When I connect console cable back to the router i am still not able to ping 4.2.2.2. I have confirmed that from the firewall I do get successful pings to 4.2.2.2. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to shannondhamilton

‎02-17-2018 01:18 AM

Hello,

 

do you allow ICMP in your access list ?

 

access-list ACL_OUT extended permit icmp any4 any4 echo
access-group ACL_OUT in interface outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card