11-08-2017 02:05 AM - edited 03-08-2019 12:39 PM
Hello guys,
I'm quite new to Cisco & networking. I have a brand new Cisco ASA 5506-X that I want to configure to go to the internet. So i used ASDM to configure the router.
The local network is 192.168.107.0 /24 so Inside interface is 192.168.107.1
Outside interface is 37.71.120.114 /30 (Public IP Address provided by ISP) and the gateway is 37.71.120.113.
So the actual cfg is: Modem >>>> (Outside interface) Cisco ASA (Inside interface) >>>>> LAN
I can ping the gateway provided by the ISP with ASDM from Outside Interface but I can't ping it from the Inside Interface. I can't ping any other IP from the outside interface (tried to ping many Public IP, always timeout).
So First I tired to setup PAT with static route but this dosn't seems to change anything. I don't get it.
Here is the CFG:
If you see anything wrong tell me, as i said i'm new to this so i may have done something stupid.
Cheers.
11-08-2017 02:49 AM
Hi,
Try to add these lines on your config
access-list INSIDE-ACL line 1 extended icmp any any echo
access-list INSIDE-ACL line 1 extended icmp any any echo-reply
access-list INSIDE-ACL line 1 extended permit ip any any
access-group INSIDE-ACL in interface inside
11-08-2017 04:20 AM
Hello,
in addition to Julio's post I think you also need an inbound access list on the outside interface:
access-list OUT_IN extended permit icmp any any echo
access-group OUT_IN in interface outside
11-08-2017 05:26 AM
Hey guys,
Thx you. So i entered those commands:
access-list INSIDE-ACL line 1 extended permit icmp any any echo
access-list INSIDE-ACL line 1 extended permit icmp any any echo-reply
access-list INSIDE-ACL line 1 extended permit ip any any
access-group INSIDE-ACL in interface inside
access-list OUT_IN extended permit icmp any any echo
access-group OUT_IN in interface outside
I still can't ping my gateway from inside interface... I don't understand why i should use ACL to get the ICMP reply because if the client (in LAN) initiate the request it should get the answer without using ACls?
Here is my config now: https://pastebin.com/jn9sA57u
11-08-2017 06:41 AM
Hi
Try including:
access-list OUT_IN extended permit icmp any any echo-reply
11-08-2017 07:02 AM
I did add this line, reboot the router, can't ping... :'( Maybe an issue with the ISP? Because from outside interface i can ping the gateway but not any public IP...
11-08-2017 07:07 AM
Usually the firewall protect the local interface to avoid ping o traceroute. How are you trying? on older devices you could not specify the source how we do on routers.
11-08-2017 07:11 AM
I use the ASDM to ping IP so i can choose from wich interface or IP address i want to ping with. I also tried to connect a computer to the local network and ping gateway and i don't get any response from isp gateway or other public address. May i should try an other way?
11-08-2017 07:12 AM
If you are trying from a PC you should get a response, try to ping 8.8.8.8, also verify the IP settings on the PC.
Im going to double check your config.
11-08-2017 07:16 AM
Try with
no nat (any,outside) dynamic interface
no nat (inside,outside) after-auto source dynamic any interface
object network obj_any
no network 0.0.0.0 0.0.0.0
network-object 192.168.107.0 255.255.255.0
nat (inside,outside) dynamic interface
So everything network you include on this object-group will be natted.
11-08-2017 07:31 AM
Hello,
try and add the below to your configuration:
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 37.71.120.112 255.255.255.252 outside
icmp permit 192.168.107.0 255.255.255.0 outside
icmp permit any inside
icmp permit 192.168.107.0 255.255.255.0 inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide