Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
4
Replies

Unable to ping External interface address from Internal hosts

lonskinini
Level 1
Level 1

‎05-14-2009 09:12 PM - edited ‎03-11-2019 08:32 AM

Hi All,

Hope you can help me with my little problem. I am new to Cisco and I started to configure my Cisco ASA but I am unable to ping External interface address from Internal hosts.

What I wanna do is to nat internal address with the external interface address but unfortunately the internal interface cannot communicate with the external interface.

Here's the config I created:

---------------

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

!

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu management 1500

mtu external 1500

mtu internal 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

access-group ping in interface external

access-group ping in interface internal

access-group ping out interface internal

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:706119cb0c9cf6aab593bae0e6bc3534

: end

----------------

Here the block diagram of my simple network:

Internal <==> Cisco ASA (Firewall) <==> Internet

Hope you can give me some advise.

Thanks in advance. :)

Regards,

Marlon

Labels:
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎05-15-2009 01:48 AM

Marlon you are actually blocking ping coming in the inside interface:-

remove the below:-

access-group ping in interface internal

access-group ping out interface internal

and re-test.

0 Helpful

lonskinini
Level 1
Level 1
In response to andrew.prince

‎05-17-2009 04:13 PM

Hi Andrew,

Thanks for your advise.

I tried removing the following but still cannot ping the external interface from internal:

access-group ping in interface internal

access-group ping out interface internal

Is there anything I should do with the route or nat?

I can ping external interface from outside (internet).

Thanks,

Marlon

0 Helpful

andrew.prince
Level 10
Level 10
In response to lonskinini

‎05-17-2009 11:01 PM

Marlon,

I am confused, are you actually saying that you cannot ping the external interface ip from the inside? if so - that is correct and natural operation of the device. You cannot ping the external ip address from the inside, the firewall will not answer/route a packet from the inside that requests connection/response from the outside interface.

HTH>

0 Helpful

lonskinini
Level 1
Level 1
In response to andrew.prince

‎05-18-2009 12:01 AM

Hi Andrew,

Thanks for the information.

If that's the case then all should be working now. =)

Thanks again.

Marlon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card