ASA outside interface ip not reachable from internet.

raajesh8228 · ‎08-12-2014

Hi,

I have configured asa 5520 (8.2) outside interface ip :125.19.x.x but i am unable to reach from internet. When i troubleshoot with packet-tracer command in firewall below is the output. please let me know what is the issues.

ASA# packet-tracer input outside icmp 112.82.X.X 0 0 144.X.X.X

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 144.X.X.X 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 388358900, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

nkarthikeyan · ‎08-12-2014

Hi Rajesh,

Do you have inspect icmp enabled in your service policy? if not enable that and try it.

do you have any policies or acl's binded to control-plane? if so remove the control-plane in access-group and enable without control-plane

do you have any icmp configuration in your firewall for outside interface? if so you need to tweak it to allow....

do you have anyother devices next to firewall is blocking icmp echo-reply ?

Regards

Karthik