Unable to ping External interface address from Internal hosts

Unanswered Question
May 14th, 2009


Hi All,


Hope you can help me with my little problem. I am new to Cisco and I started to configure my Cisco ASA but I am unable to ping External interface address from Internal hosts.


What I wanna do is to nat internal address with the external interface address but unfortunately the internal interface cannot communicate with the external interface.


Here's the config I created:


---------------

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu management 1500

mtu external 1500

mtu internal 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

access-group ping in interface external

access-group ping in interface internal

access-group ping out interface internal

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:706119cb0c9cf6aab593bae0e6bc3534

: end

----------------


Here the block diagram of my simple network:


Internal <==> Cisco ASA (Firewall) <==> Internet


Hope you can give me some advise.


Thanks in advance. :)


Regards,


Marlon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lonskinini Sun, 05/17/2009 - 16:13

Hi Andrew,


Thanks for your advise.


I tried removing the following but still cannot ping the external interface from internal:


access-group ping in interface internal

access-group ping out interface internal


Is there anything I should do with the route or nat?


I can ping external interface from outside (internet).


Thanks,


Marlon

Marlon,


I am confused, are you actually saying that you cannot ping the external interface ip from the inside? if so - that is correct and natural operation of the device. You cannot ping the external ip address from the inside, the firewall will not answer/route a packet from the inside that requests connection/response from the outside interface.


HTH>

lonskinini Mon, 05/18/2009 - 00:01

Hi Andrew,


Thanks for the information.


If that's the case then all should be working now. =)


Thanks again.


Marlon



Actions

This Discussion