cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1316
Views
0
Helpful
8
Replies

Cant ping DG in ASA 5505

I am trying to configure a new ASA.

inside 10.xxx.180.1 255.255.255.128

outside xxx.xxx.120.115 255.255.255.128

from the inside I can not ping out to the DG or access internet.

I can ping the outside interface from the out side.

I have ADSm syslogginh enable and when I ping from the inside it says.

denied ICMP type=0, code =0 from xxx.xxx.120.125 on interface outside

I also see this

portmap creation failed for src inside 10.xxx.180.3/137 to dst outside xxx.2337/137 (This is my DNS server).

Help please.

Mike Williams

Tarleton State University

1 Accepted Solution

Accepted Solutions

Mike,

Try this configuration and test your ping from inside to outside.

nat (inside) 1 10.x.180.0 255.255.255.128 --> This is your inside network.

global (outside) 1 interface

fixup protocol icmp

Let us know if this helps.

HTH

Sundar

View solution in original post

8 Replies 8

Mike,

Try this configuration and test your ping from inside to outside.

nat (inside) 1 10.x.180.0 255.255.255.128 --> This is your inside network.

global (outside) 1 interface

fixup protocol icmp

Let us know if this helps.

HTH

Sundar

Sundar,

I can now access the internet from the inside, but I still can't ping the DG .

when I ping I still see denied ICMP type=0 code 0 from xxx.xxx.120.125 on ouside interface.

Mike

ICMP traffic isn't inspected by default.

Did you add the configuration 'fixup protocol icmp'?

If still doesn't work can you post a sanitized copy of the ASA configuration.

Yes i added Fixup protocol icmp.

Here is my config

hostname I

domain-name

enable password xxx

passwd xxx

names

!

interface Vlan2

description ASA outside interface

nameif outside

security-level 0

ip address xxx.xx.120.115 255.255.255.128

!

interface Vlan70

description Inside network for Touchnet

nameif inside

security-level 100

ip address 10.xxx.180.1 255.255.255.128

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 70

!

interface Ethernet0/2

switchport access vlan 70

!

interface Ethernet0/3

switchport access vlan 70

!

interface Ethernet0/4

switchport access vlan 70

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 70

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name tarleton.edu

pager lines 24

logging enable

logging timestamp

logging asdm informational

logging host outside xxx.xxx.23.140

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.xxx.180.0 255.255.255.128 inside

icmp permit xxx.xx.21.0 255.255.255.128 outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.XX.180.0 255.255.255.128

router eigrp 165

no auto-summary

eigrp stub connected

route outside 0.0.0.0 0.0.0.0 xxx.xxx.120.125 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.xxx.180.0 255.255.255.0 inside

http xxx.xxx.21.0 255.255.255.128 outside

snmp-server host outside 165.95.23.140 community TSUroCN

snmp-server location Data Center

snmp-server contact Mike Williams

snmp-server community XXXXXXX

snmp-server enable traps snmp authentication coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start

telnet XXX.XXX.21.0 255.255.255.128 outside

telnet timeout 5

ssh XXX.XXX.21.0 255.255.255.128 outside

ssh timeout 5

console timeout 0

dhcpd dns xxx.xxx.23.137 xxx.xxx.23.137

dhcpd wins xxx.xxx.23.133 xxx.xx.23.133

dhcpd ping_timeout 30

dhcpd domain tarleton.edu

dhcpd update dns

!

dhcpd address 10.xxx.180.2-10.xxx.180.100 inside

dhcpd dns xxx.xxx.23.137 xxx.xxx.23.133 interface inside

dhcpd wins xxx.xxx.23.137 xxx.xxx.23.133 interface inside

dhcpd ping_timeout 30 interface inside

dhcpd domain xxxxxxxxx interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

ntp server 10.1.xxx.xxx source outside prefer

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

thanks

mike

"threat-detection basic-threat" I haven't worked with this command before. Can you remove this command and check.

in the config it now states

no threat-detection basic threat.

still can not ping out .

I can ping from outside to outside interface.

Mike

Mike

Just wanted to make sure you are pinging from inside to outside, right?

If you are then the following configuration that you have in there now should allow ICMP echo-reply packets to come through.

policy-map global_policy

class inspection_defaul

inspect icmp

Though this is the legacy way of doing it you can try this configuration and that should work.

access-list OUTSIDE permit icmp any any echo-reply

access-group OUTSIDE in interface outside

HTH

Sundar

Sundar.

It works! thank you for your help.

Mike Williams

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: