Weird routing issue regarding

Unanswered Question
Feb 25th, 2014
User Badges:

Hello, have had this issue for a while I assume.  But in any case, we have a Cisco ASR 1002 on the edge that does our routing and NAT, behind that we have a Cisco ASA 5585-X and then our LAN. 

Trying ping fails from my desktop behind the firewall, although I see the flow being created in the log for the ICMP packet.  I also see the NAT translation on the edge router happening using show ip nat trans | inc 

I can however ping this IP from the edge router and the firewall. 

I am attaching a doc that explains it better.  You can also normally ping this IP from any other location, ex my cell phone.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vasilii Mikhail... Tue, 02/25/2014 - 23:37
User Badges:
  • Gold, 750 points or more

Hello, Jeremy.

I guess your ASA could have/miss ACL that blocked ICMP echo-reply back to LAN (inspect icmp could be one more way to fix the issue).

PS: it's a little strange that you run NAT on ASR and not ASA device.

Jeremy Gibbs Thu, 02/27/2014 - 09:38
User Badges:

Here is a packet cap from the ASR.  Looks like someone is dropping our traffic..

Screen Shot 2014-02-27 at 12.37.44 PM.png


This Discussion