Can't ping out to the internet from the internal LAN through ASA5505

Unanswered Question
Jun 24th, 2010
User Badges:


Hope someone can help with a slight problem. I have a set up like so

LAN ( >>> ASA5505 ( gateway/inside) (x.x.x.194 outside) >>> ISP Router (x.x.x.193) >>> Internet.

The problem I'm having is I'm unable to ping out from the internal LAN to the internet through the ASA5505. I assign a static IP, gateway and appropriate DNS servers manually to a laptop and rebooted it. I connect the laptop to a free ethernet port assigned to the correct vlan, vlan 1 in this instance. I can ping the gateway of my 5505 fine (, but nothing else. I can't ping by domain name or IP address. I'm able to ping to the internet from the 5505 itself fine. I have rebooted the 5505 and it made no difference. Is it something very simple I'm missing? I have provided the configuration for reference.

This is my first attempt configuring an ASA5505 and any help will be most appreciated.

Thank you.


ASA Version 7.2(4)
hostname wms-asa-5505
enable password 9wrgr/C1doQHK27R encrypted
passwd ccI2bVURfbXCZPL4 encrypted
interface Vlan1
description inside to LAN
nameif inside
security-level 100
ip address
interface Vlan2
description outside via ISP router x.x.x.193
nameif outside
security-level 0
ip address x.x.x.194
interface Ethernet0/0
description to ISP via int vlan 2
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd This is a private network. Unauthorised access is strictly prohibited.
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
access-list ACL_IN extended permit icmp any any echo-reply
access-list ACL_IN extended permit icmp any any time-exceeded
access-list ACL_IN extended permit icmp any any unreachable
access-list ACL_OUT extended permit tcp any any object-group Internet_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
access-group ACL_OUT in interface inside
access-group ACL_IN in interface outside
route outside x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 30
ssh timeout 5
console timeout 0

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 06/24/2010 - 03:17
User Badges:
  • Cisco Employee,

To ping out you would need to permit ICMP on the inside ACL (ACL_OUT):

access-list ACL_OUT permit icmp any any

Then please also add the inspection for icmp:

policy-map global_policy
  class inspection_default

     inspect icmp

Hope that helps.

sifurobbie Thu, 06/24/2010 - 04:10
User Badges:

Hi Halijen,

Thank you for a prompt response. I will try your suggestions and see how I get on.

Best Regards,


sifurobbie Fri, 06/25/2010 - 03:55
User Badges:

Hi Halijenn,

Good news and not so good news I'm afraid. I can now ping via IP to the internet from the internal LAN through the 5505 after your suggestions so thank you for that. But I can't ping from the internal LAN by hostname to any external addresses. The test laptop is set up with the correct DNS servers and I have specified the ASA to look outside for the external DNS servers.

Your help once again is most appreciated.



edadios Fri, 06/25/2010 - 04:36
User Badges:
  • Silver, 250 points or more

Try to add this.

"access-list ACL_OUT permit udp any eq 53"

You can even be tighter by changing the word any with  "host ip_ address_of_dns_server", eg

"access-list ACL_OUT permit udp host eq 53

This will allow dns queries out.


sifurobbie Fri, 06/25/2010 - 05:55
User Badges:

Hi Edadios,

Many thanks! That worked great once that line was in place. Correct me if I'm wrong, basically the access list said let udp/dns requests from the outside into the internal network ( to the inside interface?



Jennifer Halim Fri, 06/25/2010 - 06:00
User Badges:
  • Cisco Employee,

No, the access list is allowing DNS request from internal network of towards DNS server on the outside (assuming that you are using your ISP DNS server or external DNS server).


This Discussion