Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 cannot PING from INSIDE to OUTSIDE

Hey guys, I cannot seem to determine exacly why I am not able to ping from the inside to outside using the standard 100/0 security levels respectively.

I am dynamic natting the inside to the outside interface, something I don't usually do but cannot see why ICMP's are not passing through.

The Packet trace tool says there is something in the ACL but there really isn't.

Any suggestions on what I should look for?

Is there simply an issue of Natting to the WAN interface on a 5510?

I got the latest 8.4 on there.

Thanks

  • Firewalling
Everyone's tags (6)
10 REPLIES
Cisco Employee

ASA5510 cannot PING from INSIDE to OUTSIDE

Have you enabled ICMP inspection?

New Member

ASA5510 cannot PING from INSIDE to OUTSIDE

Yes, I tried it both ways.

Red

ASA5510 cannot PING from INSIDE to OUTSIDE

Can you share your configuration with us?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA5510 cannot PING from INSIDE to OUTSIDE

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.248

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.60.3 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

speed 100

duplex full

shutdown

no nameif

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name XXXXXXXXXXX.org

same-security-traffic permit inter-interface

object network obj-192.168.197.0

subnet 192.168.197.0 255.255.255.192

object network SERVERX-server

host 192.168.53.150

object service obj-udp-source-eq-5008-eq-5008

service udp source eq 5008 destination eq 5008

object service obj-udp-eq-5008

service udp source eq 0 destination eq 5008

object service obj-tcp-source-eq-5008-eq-5008

service tcp source eq 5008 destination eq 5008

object service obj-tcp-eq-5008

service tcp source eq 0 destination eq 5008

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object-group network Inside-Networks

description All Inside networks

network-object inside-172networks 255.255.0.0

network-object inside-192networks 255.255.0.0

object-group network SPECIAL-NET-Networks

description SPECIAL-NET-Subnets

network-object 192.168.53.0 255.255.255.0

network-object 192.168.93.0 255.255.255.0

network-object 192.168.94.0 255.255.255.0

network-object 192.168.95.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp echo

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

access-list outside_access_in remark Access to SERVERX Server

access-list outside_access_in extended permit udp any object SERVERX-server eq 5008

access-list outside_access_in remark Access to SERVERX

access-list outside_access_in extended permit tcp any object SERVERX-server eq 5008

access-list outside_access_in extended permit ip any any log

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended deny ip any any log

access-list inside_nat_outbound extended permit udp object SERVERX-server eq 5008 any eq 5008

access-list inside_nat_outbound extended permit tcp object SERVERX-server eq 5008 any eq 5008

access-list inside_nat0_outbound extended permit ip any 192.168.197.0 255.255.255.192

access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any

access-list inside_access_in_1 extended permit icmp any any echo-reply

access-list inside_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPNUSERS 192.168.197.1-192.168.197.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static obj-192.168.197.0 obj-192.168.197.0 no-proxy-arp route-lookup

nat (inside,outside) source dynamic SERVERX-server interface service obj-udp-source-eq-5008-eq-5008 obj-udp-eq-5008

nat (inside,outside) source dynamic SERVERX-server interface service obj-tcp-source-eq-5008-eq-5008 obj-tcp-eq-5008

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-02

nat (management,outside) dynamic obj-0.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

route outside 0.0.0.0 0.0.0.0 207.30.22.97 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http x.x.x.x.0 255.255.254.0 outside

http x.x.x.x.0 255.255.254.0 outside

http 192.168.197.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh x.x.x.x.0 255.255.254.0 outside

ssh x.x.x.x.0 255.255.254.0 outside

ssh 192.168.197.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

priority-queue outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 132.163.4.101 source outside prefer

webvpn

group-policy VPNUSERS internal

group-policy VPNUSERS attributes

wins-server value 192.168.20.167 192.168.93.3

dns-server value 192.168.20.167 192.168.93.3

vpn-tunnel-protocol ikev1

default-domain value XXXXXXXXXXXX.org

username xxxxxxxx password xxxxxxxxxxxxxxxxx

tunnel-group VPNUSERS type remote-access

tunnel-group VPNUSERS general-attributes

address-pool VPNUSERS

default-group-policy VPNUSERS

tunnel-group VPNUSERS ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group WP-remote type remote-access

tunnel-group WP-remote general-attributes

address-pool VPNUSERS

tunnel-group WP-remote ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1029ff912312218ed6dff586a112f461

: end

asdm image disk0:/asdm-649.bin

asdm location SERVERX-server 255.255.255.255 inside

no asdm history enable

Cisco Employee

ASA5510 cannot PING from INSIDE to OUTSIDE

Pls remove the following NAT as it is incorrect:

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-02

nat (management,outside) dynamic obj-0.0.0.0

You can't PAT to 0.0.0.0.

Also, can you pls advise what you are trying to ping to and from?

New Member

ASA5510 cannot PING from INSIDE to OUTSIDE

I had made the changes you suggested, I had also changed my NAT to an unused IP one higer then the one on my WAN interface. (which has a .248 mask /29)

Using ASDM Ping tool and packet trace tool I am able to ping from the WAN but not the LAN (INSIDE) interface.

I do not have a tech on site and inside interface is UP.

New Member

Re: ASA5510 cannot PING from INSIDE to OUTSIDE

oh Snap!  So I checked a previous customers 5510 that I did nearly an identical setup and I KNOW theirs is passing pings from the inside interface. I ran the ASDM packet trace and the ping tool sourcing from the inside IP and that one shows a failure as well even though I know 100% that it IS passing ICMP from the inside network out.

So it seems there is an issue with the ASDM ping and packet trace tool when I source from the inside interface showing fails.

Cisco Employee

ASA5510 cannot PING from INSIDE to OUTSIDE

You can't ping from inside interface towards an outside host. Please try to ping from an inside host towards an outside host and see if that works.

New Member

ASA5510 cannot PING from INSIDE to OUTSIDE

Why is that we cannot ping an outside host from an inside interface, isn't that essentially one of the main reasons for the ping and packet trace tool to begin with, so we can test without having someone there with a PC on the interface? If I recall correctly this used to work prior to v8.03

2408
Views
0
Helpful
10
Replies
This widget could not be displayed.