07-22-2008 11:52 AM - edited 03-11-2019 06:18 AM
I am trying to configure a new ASA.
inside 10.xxx.180.1 255.255.255.128
outside xxx.xxx.120.115 255.255.255.128
from the inside I can not ping out to the DG or access internet.
I can ping the outside interface from the out side.
I have ADSm syslogginh enable and when I ping from the inside it says.
denied ICMP type=0, code =0 from xxx.xxx.120.125 on interface outside
I also see this
portmap creation failed for src inside 10.xxx.180.3/137 to dst outside xxx.2337/137 (This is my DNS server).
Help please.
Mike Williams
Tarleton State University
Solved! Go to Solution.
07-22-2008 12:53 PM
Mike,
Try this configuration and test your ping from inside to outside.
nat (inside) 1 10.x.180.0 255.255.255.128 --> This is your inside network.
global (outside) 1 interface
fixup protocol icmp
Let us know if this helps.
HTH
Sundar
07-22-2008 12:53 PM
Mike,
Try this configuration and test your ping from inside to outside.
nat (inside) 1 10.x.180.0 255.255.255.128 --> This is your inside network.
global (outside) 1 interface
fixup protocol icmp
Let us know if this helps.
HTH
Sundar
07-22-2008 01:03 PM
Sundar,
I can now access the internet from the inside, but I still can't ping the DG .
when I ping I still see denied ICMP type=0 code 0 from xxx.xxx.120.125 on ouside interface.
Mike
07-22-2008 01:14 PM
ICMP traffic isn't inspected by default.
Did you add the configuration 'fixup protocol icmp'?
If still doesn't work can you post a sanitized copy of the ASA configuration.
07-22-2008 01:23 PM
Yes i added Fixup protocol icmp.
Here is my config
hostname I
domain-name
enable password xxx
passwd xxx
names
!
interface Vlan2
description ASA outside interface
nameif outside
security-level 0
ip address xxx.xx.120.115 255.255.255.128
!
interface Vlan70
description Inside network for Touchnet
nameif inside
security-level 100
ip address 10.xxx.180.1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 70
!
interface Ethernet0/2
switchport access vlan 70
!
interface Ethernet0/3
switchport access vlan 70
!
interface Ethernet0/4
switchport access vlan 70
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 70
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name tarleton.edu
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging host outside xxx.xxx.23.140
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.xxx.180.0 255.255.255.128 inside
icmp permit xxx.xx.21.0 255.255.255.128 outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.XX.180.0 255.255.255.128
router eigrp 165
no auto-summary
eigrp stub connected
route outside 0.0.0.0 0.0.0.0 xxx.xxx.120.125 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.xxx.180.0 255.255.255.0 inside
http xxx.xxx.21.0 255.255.255.128 outside
snmp-server host outside 165.95.23.140 community TSUroCN
snmp-server location Data Center
snmp-server contact Mike Williams
snmp-server community XXXXXXX
snmp-server enable traps snmp authentication coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
telnet XXX.XXX.21.0 255.255.255.128 outside
telnet timeout 5
ssh XXX.XXX.21.0 255.255.255.128 outside
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.23.137 xxx.xxx.23.137
dhcpd wins xxx.xxx.23.133 xxx.xx.23.133
dhcpd ping_timeout 30
dhcpd domain tarleton.edu
dhcpd update dns
!
dhcpd address 10.xxx.180.2-10.xxx.180.100 inside
dhcpd dns xxx.xxx.23.137 xxx.xxx.23.133 interface inside
dhcpd wins xxx.xxx.23.137 xxx.xxx.23.133 interface inside
dhcpd ping_timeout 30 interface inside
dhcpd domain xxxxxxxxx interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
ntp server 10.1.xxx.xxx source outside prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
thanks
mike
07-22-2008 01:45 PM
"threat-detection basic-threat" I haven't worked with this command before. Can you remove this command and check.
07-22-2008 01:54 PM
in the config it now states
no threat-detection basic threat.
still can not ping out .
I can ping from outside to outside interface.
Mike
07-22-2008 02:36 PM
Mike
Just wanted to make sure you are pinging from inside to outside, right?
If you are then the following configuration that you have in there now should allow ICMP echo-reply packets to come through.
policy-map global_policy
class inspection_defaul
inspect icmp
Though this is the legacy way of doing it you can try this configuration and that should work.
access-list OUTSIDE permit icmp any any echo-reply
access-group OUTSIDE in interface outside
HTH
Sundar
07-23-2008 05:49 AM
Sundar.
It works! thank you for your help.
Mike Williams
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: