Solved: Not a response ping from external IP

elecorbalan · ‎11-21-2008

Hi,

I have a problem with an ASA, I cannot send a ping to a directly connected modem in outside ASA interface.

The ACLs is set to permit IP any to any.

And the static rules are:

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 101 0.0.0.0 0.0.0.0

The modem has an IP address in the same subnet than the outside interface address. The inside subnet range is 10.0.0.0

Can you see why I can't ping the modem. Is it because nat 0 command erases nat from all packets from 10.0.0.0, and so packet sender IP is not in the same subnet than modem IP?

Jon Marshall · ‎11-21-2008

No, but if you make changes to NAT you will need to do a "clear xlate" to remove the existing NAT translations.

Jon

View solution in original post

Jon Marshall · ‎11-21-2008

Elena

"Is it because nat 0 command erases nat from all packets from 10.0.0.0, and so packet sender IP is not in the same subnet than modem IP?"

Well yes very probably. Unless the modem has a route for 10.0.0.0/24 pointing back to the outside interface of your ASA it won't work.

You need to NAT the 10.0.0.x addresses as they leave the outside interface of the ASA so remove the nat exemption part of your config ie.

no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any

Jon

elecorbalan · ‎11-21-2008

Can I remove the line nat (inside) 0 access-list inside_nat0_outbound_1 ?

Jon Marshall · ‎11-21-2008

Elena

Difficult to say as you only posted a part of your config. If you are sure it is not being used for anything else on the firewall then yes you can remove it.

Jon

elecorbalan · ‎11-21-2008

Jon,

I understand what you mean, and I want all the traffic to be nated.

Otherwise, I still have the problem with the modem and I hesitate if the cable has to be straight or crossover. Is the firewall like a PC or like a switch in this item?

Jon Marshall · ‎11-21-2008

If you want all traffic to be Natted then yes remove that line from your config.

The firewall is like a router/PC in this regard so you either

1) need a switch between the modem and pix and use straight thru cables

OR

2) Use a crossover cable

Jon

elecorbalan · ‎11-21-2008

With a cross over cable and with nat activated on outside, I still have problems to ping the modem address --.49 in the same subnet than outside ip interface --.50

I send you the configuration to ask you to find any discordance to pass pings through.

For example, look at the command

icmp unreachable rate-limit 1 burst-size 1

I have also configured VPNs for remote acces but I can't put the configuration text window. Tell me also whether this could be th problem.

Please help me. Thanks.

ASA Version 8.0(4)

!

hostname --

domain-name --.es

enable password -- encrypted

passwd -- encrypted

names

name -- PoolVPN

!

interface Ethernet0/0

nameif outside

security-level 0

ip address --.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.0.22 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name --

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list AccesoLANlocal remark Acceso local conectado a VPN

access-list AccesoLANlocal standard permit host 0.0.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 any

access-list 101 extended permit icmp any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any 10.0.0.0 255.255.255.0 echo-reply inactive

access-list outside_access_in extended permit tcp any any eq www

access-list inside_nat0_outbound_1 extended permit ip any 10.0.0.0 255.255.255.192

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu outside 1500

mtu inside 1500

ip local pool VPNPool 10.0.0.30-10.0.0.39 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 --.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

Jon Marshall · ‎11-21-2008

Elena

Can you ping the .49 address from the ASA device itself ?

You may need to clear xlate if you have change the NAT translations or at least clear xlate for the inside host you are pinging the modem from.

Jon

elecorbalan · ‎11-21-2008

No, I can't ping the .49 address.

Jon Marshall · ‎11-21-2008

Can you add to your config

icmp permit any outside

this is only temporary. Retest with both a straight thru and a crossover just in case the modem is doing some funny.

Jon

elecorbalan · ‎11-21-2008

I've already tried with a straight and crossover cable, but without the command

icmp permit any outside

I'll try the command on monday. But I don't think it will work because I have tried before a config on test, with a PC on the outside and I have pinged successfully.

This problem could have a relationship with the VPN remote access?

elecorbalan · ‎11-21-2008

Does the ASA need to restart the interface to take changes on nat?

Jon Marshall · ‎11-21-2008

No, but if you make changes to NAT you will need to do a "clear xlate" to remove the existing NAT translations.

Jon

elecorbalan · ‎11-24-2008

It's ok, thanks