Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1531
Views
0
Helpful
10
Replies

Ping ISP gateway OK from Outside interface. Inside not ok.

Cyantist
Level 1
Level 1

‎11-08-2017 02:05 AM - edited ‎03-08-2019 12:39 PM

Hello guys,

 

I'm quite new to Cisco & networking. I have a brand new Cisco ASA 5506-X that I want to configure to go to the internet. So i used ASDM to configure the router.

 

The local network is 192.168.107.0 /24 so Inside interface is 192.168.107.1 

Outside interface is 37.71.120.114 /30 (Public IP Address provided by ISP) and the gateway is 37.71.120.113.

 

So the actual cfg is: Modem >>>> (Outside interface) Cisco ASA (Inside interface) >>>>> LAN 

I can ping the gateway provided by the ISP with ASDM from Outside Interface but I can't ping it from the Inside Interface. I can't ping any other IP from the outside interface (tried to ping many Public IP, always timeout). 

So First I tired to setup PAT with static route but this dosn't seems to change anything. I don't get it. 

Here is the CFG: 

https://pastebin.com/TT5w775F

 

If you see anything wrong tell me, as i said i'm new to this so i may have done something stupid.

Cheers. 

 

 

 

Labels:
0 Helpful
10 Replies 10

Julio E. Moisa
VIP
VIP

‎11-08-2017 02:49 AM

Hi,

Try to add these lines on your config

access-list INSIDE-ACL line 1 extended icmp any any echo 

access-list INSIDE-ACL line 1 extended icmp any any echo-reply

access-list INSIDE-ACL line 1 extended permit ip any any

 

access-group INSIDE-ACL in interface inside

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Georg Pauwen
VIP
VIP

‎11-08-2017 04:20 AM

Hello,

 

in addition to Julio's post I think you also need an inbound access list on the outside interface:

 

access-list OUT_IN extended permit icmp any any echo
access-group OUT_IN in interface outside

0 Helpful

Cyantist
Level 1
Level 1
In response to Georg Pauwen

‎11-08-2017 05:26 AM

Hey guys,

Thx you. So i entered those commands: 

 

access-list INSIDE-ACL line 1 extended permit icmp any any echo

access-list INSIDE-ACL line 1 extended permit icmp any any echo-reply

access-list INSIDE-ACL line 1 extended permit ip any any

access-group INSIDE-ACL in interface inside

access-list OUT_IN extended permit icmp any any echo

access-group OUT_IN in interface outside

 

I still can't ping my gateway from inside interface... I don't understand why i should use ACL to get the ICMP reply because if the client (in LAN) initiate the request it should get the answer without using ACls? 

 

Here is my config now: https://pastebin.com/jn9sA57u

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Cyantist

‎11-08-2017 06:41 AM

Hi

Try including:

access-list OUT_IN extended permit icmp any any echo-reply




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Cyantist
Level 1
Level 1
In response to Julio E. Moisa

‎11-08-2017 07:02 AM

I did add this line, reboot the router, can't ping... :'( Maybe an issue with the ISP? Because from outside interface i can ping the gateway but not any public IP... 

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Cyantist

‎11-08-2017 07:07 AM

Usually the firewall protect the local interface to avoid ping o traceroute. How are you trying? on older devices you could not specify the source how we do on routers. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Cyantist
Level 1
Level 1
In response to Julio E. Moisa

‎11-08-2017 07:11 AM

I use the ASDM to ping IP so i can choose from wich interface or IP address i want to ping with. I also tried to connect a computer to the local network and ping gateway and i don't get any response from isp gateway or other public address. May i should try an other way? 

0 Helpful

Julio E. Moisa
VIP
VIP
In response to Cyantist

‎11-08-2017 07:12 AM

If you are trying from a PC you should get a response, try to ping 8.8.8.8, also verify the IP settings on the PC. 

Im going to double check your config. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Julio E. Moisa

‎11-08-2017 07:16 AM

Try with

no nat (any,outside) dynamic interface

no nat (inside,outside) after-auto source dynamic any interface

 

object network obj_any

no network 0.0.0.0 0.0.0.0 

network-object 192.168.107.0  255.255.255.0

nat (inside,outside) dynamic interface

 

So everything network you include on this object-group will be natted. 

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Georg Pauwen
VIP
VIP
In response to Cyantist

‎11-08-2017 07:31 AM

Hello,

 

try and add the below to your configuration:

 

icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit 37.71.120.112 255.255.255.252 outside
icmp permit 192.168.107.0 255.255.255.0 outside
icmp permit any inside
icmp permit 192.168.107.0 255.255.255.0 inside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card