From the ASA, I am able to ping 99.66.167.69 and 4.2.2.2.

From the computer I had plugged to the ASA, I was not able to ping 192.168.1.1. Unfortunately, I had to step away from the lap to check that laptop for now.

All the interfaces have had "no shutdown" applied.

Thanks

Hi,

Can you please apply these captures and ping again, just wanna check if ASA is forwarding the packets at all or not?

access-list cap permit ip any host 4.2.2.2

access-list cap permit ip host 4.2.2.2 any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

also apply:

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

after that, try pinging 4.2.2.2 again, and collect the output of :

show cap capin

show cap capo

This would be very helpful in troubleshooting.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Sorry for the delay.

Varun, I followed the commands you suggested.  After apply the following settings....

access-list cap permit ip any host 4.2.2.2

access-list cap permit ip host 4.2.2.2 any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

these are my results:

Ping 99.66.167.69 from computer hooked to console port.

ping 99.66.167.69

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 99.66.167.69, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Ping 192.168.1.1 from computer hooked to console port

100% success rate

Ping 4.2.2.2 from computer connected to console port.

ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Results of show cap capin

15 packets captured

   1: 16:44:28.681468 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   2: 16:44:30.677973 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   3: 16:44:32.677928 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   4: 16:44:34.678004 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   5: 16:44:36.677943 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   6: 16:45:15.972087 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   7: 16:45:17.967937 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   8: 16:45:19.967952 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   9: 16:45:21.967906 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  10: 16:45:23.967921 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  11: 16:48:15.667873 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  12: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  13: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  14: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

  15: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

15 packets shown

Results show cap capo

5 packets captured

   1: 16:48:15.667888 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   2: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   3: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   4: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

   5: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request

5 packets shown

Ping 99.66.167.69 from computer connected to ASA

Request Timed out 100% of time

Ping 4.2.2.2 from computer connected to ASA

100% success

Ping 192.168.1.1 from comptuer connected to ASA

Request Timed out

Unfortunately, I noticed I was still connected to a wireless network upon pinging.  I turned that off and now get a response "192.168.43.75:Destination Unreachanble" when I ping any address.

Thanks

Hi Joffroi,

I am not sure about how you are connecting, because all you just need to test with is, connect the laptop directly to the inside interface of the ASA using an ethernet cable and then assign the laptop an ip 192.168.1.2, and then ping 4.2.2.2, is this how you exactly tested?

Thanks,
Varun Rao
Security Team,
Cisco TAC

I did assign 192.168.1.2 to my laptop.

When I ping 4.2.2.2 or 99.66.167.69 I get the Reply from 192.168.43.75: Destination unreachable error.

I can ping 192.168.1.1 though

Where is the 192.168.43.75 coming from?

Here is my latest config file just for the record

: Saved

:

ASA Version 8.2(5)

!

hostname UUFkcASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 99.66.167.69 255.255.255.248

!

ftp mode passive

access-list cap extended permit ip any host 4.2.2.2

access-list cap extended permit ip host 4.2.2.2 any

access-list outside_access_in extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 99.66.167.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e6d997e51654139d99b017e8f62f4cc7

: end

You would need to find it out on the laptop, check the ipconfig on the command promp, what all network adapters are activated.

Thanks,
Varun

I went ahead and changed to a unix laptop.  My other laptop may have corporte settings interfering. 

Using DHCP, my laptop assignes itself a 169.254.83.145 IP address.

I went ahead and changed that to 192.168.1.2 as stated above. For 99.66.167.69 and 4.2.2.2 I still get a Host is down message.  I am able to ping 192.168.1.1 from the laptop though.

Do DNS address play a role into any of this?

Thanks

Hello Joffroi,

DNS does not take a play role on this as you are not performing any Domain name resolution, you are just trying to access a host on the outside by its public ip address (4.2.2.2)

Here is what I want you to add:

policy-map global_policy

class inspection_default

inspect icmp

Then try to ping one more time if this does not work please do the following:

I want the Ifconfig or Ipconfig from the machine?

I want a packet-tracer.. On the ASA do packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2 and provide me the output

FYI using an ASA you will not be able to ping a distant interface, what is that?

As an example from that PC 168.1.2 you can ping the inside interface but the outside or dmz or any other interface besides the inside will be a distant interface. This is a security meassure that the ASA uses!!!.

Regards,

Julio

DO Rate all the helpful posts

99.66.167.69 is the static IP address assigned by the ISP for the port the ASA is connected to.

I followed your suggestions above but was unable to execute the inspect icmp command. I added the first two.

Below are the results for the packet-tracer. I'll track down a thumbdrive to transfer the output of the ifconfig if you still need it.

At this point, is it maybe easier for me to start over and try another set of instructions like this?http://www.youtube.com/watch?v=RYr3Vpm5uWA

Results

packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (99.66.167.69 [Interface PAT])

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.1.2/0 to 99.66.167.69/59409 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 42, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Thanks for all the help thus far guys. It really is appreciated

Hello Joff,

Please add the following command:

     -Fixup protocol ICMP

Give it a try,

The packet tracer shows that everything is fine.

I entered that command and got this response:

(config)# fixup protocol ICMP

INFO: converting 'fixup protocol icmp ' to MPF commands

From my laptop where I assigned the 192.168.1.3 IP address, I am still unable to ping 4.2.2.2 or browse the web. Below is the ifconfig

ifconfig

lo0: flags=8049 mtu 16384

options=3

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

gif0: flags=8010 mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863 mtu 1500

options=2b

ether 00:1f:f3:53:da:5f

inet6 fe80::21f:f3ff:fe53:da5f%en0 prefixlen 64 scopeid 0x4

inet 192.168.1.3 netmask 0xffff0000 broadcast 192.168.255.255

media: autoselect (100baseTX )

status: active

en1: flags=8823 mtu 1500

ether 00:1f:5b:c4:02:6a

media: autoselect ()

status: inactive

fw0: flags=8863 mtu 4078

lladdr 00:1f:f3:ff:fe:60:16:f2

media: autoselect

status: inactive

vboxnet0: flags=8842 mtu 1500

ether 00:76:62:00:00:00

Its pretty frustrating reading that everything looks fine. I was really hoping I missed 2-3 cruicial lines for a quick fix. Is it possible that it could be something with how my IT department set up the port?

I can get internet working on my laptop if I connect directly to the port and manually set the static IP, gateway, DNS1, DNS2 and subnet address so probably not.

Thanks

Hello Jofrroi,

What is connected between the ASA and the PC, and also from the ASA and the Internet (ISP router)

Also create the following capture:

capture asp type-asp all circular-buffer

Then do a clear :

clear cap capo

clear cap capin

clear cap asp

Please try to ping and provide the following:

cap asp | inc      4.2.2.2

cap capin

cap capo

Regards,