ASA - inside can't ping internet IP's, but outside can

Answered Question
Feb 10th, 2010
User Badges:

Hello,


I have configured an ASA 5505 to get on the internet.  The outside interface is plugged into a Cisco 877 DSL (10.5.5.1) router.  If I log into the router it can ping google.com via it's IP 216.239.59.104 and if I CLI to the ASA it can too see below, however the inside can't (172.19.5.0/24) ping google's IP can you see why?


ASA ping:


ASA# ping 216.239.59.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.59.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms
ASA#


I can get to the ASA's SSH over the internet, but if I turn on "debug IP packet" on the router and then get a PC on 172.19.5.x/24 to ping 216.239.59.104
it shows nothing, no does "sh ip nat tran"


Config


ASA Version 8.2(2)
!
hostname ASA
domain-name 1234
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.5.5.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name gb.vo.local
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip 172.19.5.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 172.19.5.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 100000
logging console critical
logging monitor critical
logging buffered critical
logging trap critical
logging asdm notifications
logging host inside 192.168.21.19
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.5.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 172.19.5.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
http 192.168.21.14 255.255.255.255 inside
http 192.168.21.19 255.255.255.255 inside
http 192.168.60.11 255.255.255.255 inside
http 192.168.90.11 255.255.255.255 inside
snmp-server host inside 192.168.21.19 community *****
snmp-server location **
snmp-server contact ***
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 172.19.5.0 255.255.255.0 inside
telnet 192.168.21.14 255.255.255.255 inside
telnet 192.168.21.19 255.255.255.255 inside
telnet 192.168.90.11 255.255.255.255 inside
telnet timeout 5
ssh 172.19.5.0 255.255.255.0 inside
ssh 192.168.21.14 255.255.255.255 inside
ssh 192.168.21.19 255.255.255.255 inside
ssh 192.168.90.11 255.255.255.255 inside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 20
dhcpd auto_config outside
!
dhcpd address 172.19.5.20-172.19.5.254 inside
dhcpd dns 192.168.21.10 192.168.21.11 interface inside
dhcpd domain 1234 interface inside
dhcpd option 3 ip 172.19.5.1 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0668d2296b7cba20fd5f7de38f80b90
: end

Correct Answer by Collin Clark about 7 years 3 months ago

Absolutely. With those commands they we're tunneling all traffic and no traffic was allowed out to the internet directly (had to go through the hub site).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Wed, 02/10/2010 - 11:52
User Badges:
  • Purple, 4500 points or more

Your NAT statements are incorrect. Your not NATing the traffic from inside to outside. If you need more hints in getting this to work, just let us know.

Andy White Wed, 02/10/2010 - 12:01
User Badges:

Please let me know, my head hurts.  I'm run the packet tracer and it seems fine though.


Collin Clark Wed, 02/10/2010 - 12:07
User Badges:
  • Purple, 4500 points or more

No problem, I've been there


You have two NAT statements~
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0


and the ACL that is referenced by the first statement~

access-list inside_nat0_outbound extended permit ip 172.19.5.0 255.255.255.0 any


NAT0 will always take precedence and with the nat (inside) 0 access-list inside_nat0_outbound command and referencing the ACL, you're telling the ASA to NOT NAT any traffic sourcing from 172.19.5.0/24 to anywhere. It does not look like you have VPN configured, so you should be safe removing nat (inside) 0 access-list inside_nat0_outbound. The second statement, nat (inside) 1 0.0.0.0 0.0.0.0 is correct for NATing all internal traffic.


Hope it helps.

Andy White Wed, 02/10/2010 - 12:12
User Badges:

I will try that, funny thing was there was a VPN on there I had to take off.  The interesting traffic from 172.18.5.0 all had to go over the VPN.


I only have outside access to the firewall, I can make the change, but can I test 172.19.5.x can now ping IP's on the internet?  I guess when I log on to the ASA via SSH it's me ping fromthe outside interface?

Collin Clark Wed, 02/10/2010 - 12:26
User Badges:
  • Purple, 4500 points or more

Exactly, because the outside interface has a public IP it does not need to be NATed and since it's closer to the destination (the internet), it will use that interface.

Andy White Wed, 02/10/2010 - 12:31
User Badges:

Can I use any commands via the CLI to see if removing those commands worked?  Not sure like a router I can use "ping x.x.x.x source 172.19.5.10"?


Just to confirm I'm removing:


nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 172.19.5.0 255.255.255.0 any


Thanks again

Collin Clark Wed, 02/10/2010 - 12:35
User Badges:
  • Purple, 4500 points or more

Eventually remove both commands, but I would start with nat (inside) 0 access-list inside_nat0_outbound. That way in case something happens, you just have to add that one line back in. Unfortunately you can't source traffic from another interface in an ASA. You'll need to contact someone out there to test.

Andy White Wed, 02/10/2010 - 12:38
User Badges:

I did remove the commands and then tried:


ASA# ping inside 216.239.59.103
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.59.103, timeout is 2 seconds:
Error: inside interface is shutdown

Success rate is 0 percent (0/1)

I thought this would work, I'll try and contact a user.

Collin Clark Wed, 02/10/2010 - 12:44
User Badges:
  • Purple, 4500 points or more

The command is mis-leading. Your telling the ASA that 216.239.59.103 is accessible via the inside interface.

Andy White Wed, 02/10/2010 - 12:47
User Badges:

I thout it should be accessible from the inside as I need to ping it?


I can't get hold of anyone there, I will rate this when I can get some info.

Collin Clark Wed, 02/10/2010 - 12:50
User Badges:
  • Purple, 4500 points or more

You're telling the ASA to go out the inside interface to get to the public IP. That will never work. Think of it in its reverse. Would you try and ping a private IP address on the internet?

Andy White Wed, 02/10/2010 - 12:52
User Badges:

I understand that now.  Do you think those NAT's are part of the previous VPN,

I found out the original VPN was to be a one to one VPN so all traffic on the inside had to go over the VPN.

Correct Answer
Collin Clark Wed, 02/10/2010 - 12:56
User Badges:
  • Purple, 4500 points or more

Absolutely. With those commands they we're tunneling all traffic and no traffic was allowed out to the internet directly (had to go through the hub site).

Actions

This Discussion