cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
3
Replies

asa 5505 inside to outside ping ?

fran19422
Level 1
Level 1

Hello, for some reason I cannot ping from a host on my inside network to my outside network interface

i.e. ping from 192.168.0.100 to 192.168.200.2

Also vice versa, when I ping from the asa5505's outside interface to any inside network address it does not work.

Can anyone see wht this is ? - it has to be something simple.

Thanks kindly for any help.

Result of the command: "show running-config"

Result of the command: "show running-config"

ASA Version 8.0(2)

!

hostname philASA5505

domain-name phil.home

enable password ma.B/.HgoVfoLiCL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

ospf cost 10

!

interface Vlan2

no forward interface Vlan5

nameif outside

security-level 100

ip address 192.168.200.2 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

passwd ma.B/.HgoVfoLiCL encrypted

ftp mode passive

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00

dns server-group DefaultDNS

domain-name phil.home

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network lan

description lan

network-object host 192.168.100.0

access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu inside 1500

mtu outside 1500

ip local pool philpool 192.168.0.1-192.168.0.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.200.1 1

route outside 192.168.100.0 255.255.255.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.0.100-192.168.0.120 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect icmp

!

service-policy global-policy global

webvpn

enable outside

svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy philtunnel internal

group-policy philtunnel attributes

dns-server value 4.2.2.2 8.8.8.8

vpn-tunnel-protocol IPSec

username phil password DfN1FSNE/PrGENWQ encrypted privilege 15

tunnel-group 192.168.200.1 type ipsec-l2l

tunnel-group 192.168.200.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:809d3cdfdada66715a76c3aa57905add

: end

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

I do not see in your config an entry for

policy-map global-policy

is there an entry for this that somehow did not get posted?

and under that policy-map is there an entry for

class global-class

and under that is there an entry for

inspect icmp

If these are missing then I suggest that you add them to your config and see if the behavior changes.

HTH

Rick

HTH

Rick

thank you Rick, I added what you suggested, however the behaviour has still not changed.

There must be something else that I have missed.

Thank you kindly for any help.

icmp permit any outside ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: