Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2141
Views
0
Helpful
1
Replies

ASA 5515x unable to ping from LAN to outside

Go to solution
benskippy
Level 1
Level 1

‎02-27-2014 11:50 AM - edited ‎03-11-2019 08:51 PM

We have just installed a new ASA 5515 with 9.1(1) loaded and it is our first look at this device\syntax. It has been setup as a 'translation' from another device.

At present, I can ping both an external ip (8.8.8.8) and a LAN based ip addresses from the new ASA device. The problem is when I try to ping 8.8.8.8 from a client connected to the LAN\inside. I cannot work out what is the problem so any help will be appreciated - it is an upgrade that needs to be 'live' by the morning (no pressure).

Config below:

**********
Company-Name(config)# ping aa.bbb.c.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to aa.bbb.c.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Company-Name(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
**********

Current running configuration
**********
ASA Version 9.1(1)
!
hostname Company-Name
domain-name company.co.uk
enable password abcdefghij encrypted
passwd abcdefghij encrypted
names
ip local pool aa.bbblanpool aa.bbb.254.240-aa.bbb.254.254 mask 255.255.0.0
!
interface GigabitEthernet0/0
speed 100
nameif Trust
security-level 100
ip address aa.bbb.c.1 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
nameif Untrust
security-level 0
ip address xxx.xx.yyy.130 255.255.255.240
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no ip addresscc
security-level 100
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
dns domain-lookup Untrust
dns server-group DefaultDNS
name-server 66.9.50.194
name-server 66.9.50.226
domain-name company.co.uk
object network aa.bbblan
subnet aa.bbb.0.0 255.255.0.0
object network Bloxx
host aa.bbb.c.45
object network blackberrySite
fqdn srp.eu.BlackBerry.net
object network Messagelabs
subnet 117.120.16.0 255.255.248.0
object network Mailserver_int
host aa.bbb.c.48
object network Mailserver_ext
host xxx.xx.yyy.131
object network Blackberry_ext
host xxx.xx.yyy.135
object network Blackberry_int
host aa.bbb.c.43
object network CiscoPBX
host aa.bbb.4.3
object network CiscoPBX_ext
host xxx.xx.yyy.132
object network BTSIP
host 85.119.63.4
object network NETWORK_OBJ_aa.bbb.254.240_28
subnet aa.bbb.254.240 255.255.255.240
object-group service 445 tcp-udp
port-object eq 445
object-group service 1434 tcp
port-object eq 1434
object-group service blackberry tcp
port-object eq 3101
object-group service openport990 tcp
port-object eq 990
object-group service openport-20000-21000 tcp
port-object range 20000 21000
object-group service BTSIPPorts tcp
port-object range sip 5070
access-list untrust-in extended deny tcp any any object-group 1434 log
access-list untrust-in extended permit tcp any object Blackberry_ext object-grou
p blackberry
access-list untrust-in extended permit tcp object Messagelabs object Mailserver_
ext eq smtp
access-list untrust-in extended permit tcp any any object-group openport990
access-list untrust-in extended permit tcp any any object-group openport-20000-2
1000
access-list untrust-in extended permit tcp object BTSIP object CiscoPBX_ext obje
ct-group BTSIPPorts
access-list untrust-in extended permit tcp any object aa.bbblan eq ftp
access-list trust-in extended permit tcp object aa.bbblan any
access-list trust-in extended deny tcp object aa.bbblan any object-group 1434
pager lines 24
logging asdm informational
mtu Trust 1500
mtu Untrust 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Trust
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Trust,Untrust) source static Mailserver_int Mailserver_ext
nat (Trust,Untrust) source static Blackberry_int Blackberry_ext
nat (Trust,Untrust) source static CiscoPBX CiscoPBX_ext
nat (Trust,Untrust) source static any any destination static NETWORK_OBJ_aa.bbb.254.240_28 NETWORK_OBJ_aa.bbb.254.240_28 no-proxy-arp
nat (Trust,Untrust) source static aa.bbblan interface
access-group trust-in in interface Trust
access-group untrust-in in interface Untrust
route Untrust 0.0.0.0 0.0.0.0 xxx.xx.yyy.129 1
route Trust aa.203.201.0 255.255.255.0 aa.bbb.c.10 1
route Trust aa.206.70.0 255.255.255.0 aa.bbb.c.10 1
route Trust aa.209.1c.0 255.255.255.0 aa.bbb.c.10 1
route Trust 19c.168.251.0 255.255.255.255 aa.bbb.c.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 19c.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Trust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A
ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Untrust_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Untrust_map interface Untrust
crypto ca trustpool policy
crypto ikev1 enable Untrust
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet aa.bbb.c.0 255.255.255.0 Trust
telnet aa.bbb.c.10 255.255.255.255 Trust
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Trust
ssh aa.bbb.c.10 255.255.255.255 Trust
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 81.168.77.149 source Untrust
group-policy DialupVpnUsers internal
group-policy DialupVpnUsers attributes
dns-server value 66.9.50.194 66.9.50.226
vpn-tunnel-protocol l2tp-ipsec
username username@comp.vpn password 5WDm75G39/+P7HJcTOc4hA== nt-encrypte
d privilege 0
username username@comp.vpn attributes
vpn-group-policy DialupVpnUsers
username company password 6K6FMujTz1E/uZbV encrypted
username username@comp.vpn password 9r494kAr7zVwG29ZWJjVWQ== nt-encrypted p
rivilege 0
username username@comp.vpn attributes
vpn-group-policy DialupVpnUsers
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DialupVpnUsers type remote-access
tunnel-group DialupVpnUsers general-attributes
address-pool aa.bbblanpool
default-group-policy DialupVpnUsers
tunnel-group DialupVpnUsers ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:86f9a510e4585874994bd474c8cf96b9
: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎02-27-2014 01:28 PM

Hi Ben,

I have a quick look into your issue and it seems that you missing just inspection for ICMP. This is needed in order to allow icmp traffic through the box.

Configuration:

policy-map global_policy
class inspection_default
 inspect icmp

Also you need to allow that traffic on trust-in access-list as well (if your clients are located behind Trust interface).

Kind regards,

Veronika

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Veronika Klauzova
Cisco Employee
Cisco Employee

‎02-27-2014 01:28 PM

Hi Ben,

I have a quick look into your issue and it seems that you missing just inspection for ICMP. This is needed in order to allow icmp traffic through the box.

Configuration:

policy-map global_policy
class inspection_default
 inspect icmp

Also you need to allow that traffic on trust-in access-list as well (if your clients are located behind Trust interface).

Kind regards,

Veronika

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card