ASA simple setup

Unanswered Question
May 15th, 2008

I have problem pinging from inside interface to outside interface and also from outside interface to interface. I have included sh run and sh ver command with this email. I wanted to try this simple setup first.

ciscoasa# sh run

ASA Version 7.0(7)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 209.x.x.225 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list outside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

asdm image disk0:/asdm-507.bin

arp timeout 14400

nat-control

global (outside) 10 209.165.200.230-209.165.200.240

global (outside) 10 10.10.10.1

global (inside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 05/15/2008 - 04:32

the asa doesn't let you ping a far side interface. you can only ping the asa interface that is closest to the source host of the ping.

the easiest way to configure ping *through* the firewall is to turn on icmp inspection:

policy-map global_policy

class inspection_default

inspect icmp

Actions

This Discussion