ASA - inside can't ping internet IP's, but outside can

Answered Question
Feb 10th, 2010


I have configured an ASA 5505 to get on the internet.  The outside interface is plugged into a Cisco 877 DSL ( router.  If I log into the router it can ping via it's IP and if I CLI to the ASA it can too see below, however the inside can't ( ping google's IP can you see why?

ASA ping:

ASA# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms

I can get to the ASA's SSH over the internet, but if I turn on "debug IP packet" on the router and then get a PC on 172.19.5.x/24 to ping
it shows nothing, no does "sh ip nat tran"


ASA Version 8.2(2)
hostname ASA
domain-name 1234
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name gb.vo.local
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any
access-list inside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any
pager lines 24
logging enable
logging buffer-size 100000
logging console critical
logging monitor critical
logging buffered critical
logging trap critical
logging asdm notifications
logging host inside
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group inside_access_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http inside
http x.x.x.x outside
http inside
http inside
http inside
http inside
snmp-server host inside community *****
snmp-server location **
snmp-server contact ***
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet inside
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh inside
ssh inside
ssh inside
ssh inside
ssh x.x.x.x outside
ssh timeout 5
ssh version 2
console timeout 20
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd domain 1234 interface inside
dhcpd option 3 ip interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

I have this problem too.
0 votes
Correct Answer by Collin Clark about 6 years 11 months ago

Absolutely. With those commands they we're tunneling all traffic and no traffic was allowed out to the internet directly (had to go through the hub site).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Wed, 02/10/2010 - 11:52

Your NAT statements are incorrect. Your not NATing the traffic from inside to outside. If you need more hints in getting this to work, just let us know.

Andy White Wed, 02/10/2010 - 12:01

Please let me know, my head hurts.  I'm run the packet tracer and it seems fine though.

Collin Clark Wed, 02/10/2010 - 12:07

No problem, I've been there

You have two NAT statements~
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1

and the ACL that is referenced by the first statement~

access-list inside_nat0_outbound extended permit ip any

NAT0 will always take precedence and with the nat (inside) 0 access-list inside_nat0_outbound command and referencing the ACL, you're telling the ASA to NOT NAT any traffic sourcing from to anywhere. It does not look like you have VPN configured, so you should be safe removing nat (inside) 0 access-list inside_nat0_outbound. The second statement, nat (inside) 1 is correct for NATing all internal traffic.

Hope it helps.

Andy White Wed, 02/10/2010 - 12:12

I will try that, funny thing was there was a VPN on there I had to take off.  The interesting traffic from all had to go over the VPN.

I only have outside access to the firewall, I can make the change, but can I test 172.19.5.x can now ping IP's on the internet?  I guess when I log on to the ASA via SSH it's me ping fromthe outside interface?

Collin Clark Wed, 02/10/2010 - 12:26

Exactly, because the outside interface has a public IP it does not need to be NATed and since it's closer to the destination (the internet), it will use that interface.

Andy White Wed, 02/10/2010 - 12:31

Can I use any commands via the CLI to see if removing those commands worked?  Not sure like a router I can use "ping x.x.x.x source"?

Just to confirm I'm removing:

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any

Thanks again

Collin Clark Wed, 02/10/2010 - 12:35

Eventually remove both commands, but I would start with nat (inside) 0 access-list inside_nat0_outbound. That way in case something happens, you just have to add that one line back in. Unfortunately you can't source traffic from another interface in an ASA. You'll need to contact someone out there to test.

Andy White Wed, 02/10/2010 - 12:38

I did remove the commands and then tried:

ASA# ping inside
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Error: inside interface is shutdown

Success rate is 0 percent (0/1)

I thought this would work, I'll try and contact a user.

Collin Clark Wed, 02/10/2010 - 12:44

The command is mis-leading. Your telling the ASA that is accessible via the inside interface.

Andy White Wed, 02/10/2010 - 12:47

I thout it should be accessible from the inside as I need to ping it?

I can't get hold of anyone there, I will rate this when I can get some info.

Collin Clark Wed, 02/10/2010 - 12:50

You're telling the ASA to go out the inside interface to get to the public IP. That will never work. Think of it in its reverse. Would you try and ping a private IP address on the internet?

Andy White Wed, 02/10/2010 - 12:52

I understand that now.  Do you think those NAT's are part of the previous VPN,

I found out the original VPN was to be a one to one VPN so all traffic on the inside had to go over the VPN.

Correct Answer
Collin Clark Wed, 02/10/2010 - 12:56

Absolutely. With those commands they we're tunneling all traffic and no traffic was allowed out to the internet directly (had to go through the hub site).


This Discussion