Solved: ASA 5505 8.2 routing problem

Paul.w.townsend · ‎11-05-2011

I've configured a 5505 but internal clients can't ping external ip. To test I've connect a pc with the ip of the default router on the Outside int the ASA can ping the PC and the PC can ping the ASA, but internal clients can't ping the PC

PC config 195.12.23.241/28

Here's the ASA config, so far I've wiped the ASA and started with a blank sonfig and built it up but still not working.

ASA Version 8.2(5)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif INSIDE

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Vlan2

nameif OUTSIDE

security-level 0

ip address 195.12.23.242 255.255.255.240

!

ftp mode passive

dns server-group DefaultDNS

domain-name TEST_LAB

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

mtu OUTSIDE 1500

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any INSIDE

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0

route OUTSIDE 0.0.0.0 0.0.0.0 195.12.23.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 INSIDE

http 192.168.0.0 255.255.0.0 INSIDE

http redirect INSIDE 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.10.0 255.255.255.0 INSIDE

telnet 192.168.0.0 255.255.0.0 INSIDE

telnet timeout 20

ssh 192.168.10.0 255.255.255.0 INSIDE

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

varrao · ‎11-05-2011

Just add this and it should work like a charm:

policy-map global_policy

class inspection_default

inspect icmp

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎11-05-2011

Just add this and it should work like a charm:

policy-map global_policy

class inspection_default

inspect icmp

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

Paul.w.townsend · ‎11-06-2011

Thanks Varun

Perfect

That was it, missed it thought it was a NAT issue but couldn't see what I'd done wrong now I see why it wasn't NAT

Thanks again

Paul