cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
5
Helpful
1
Replies

can't ping from inside with asa 5520

Maleksalim
Level 1
Level 1

HI

I configure ASA 5520 to protect my network, but i can't go to the internet from my inside.

i can ping outside address frome outside interface from asa but not from inside .

ciscoasa# show run

: Saved

:

ASA Version 7.0(8)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 41.65.216.186 255.255.255.252

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

<--- More --->

no ip address

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 10.210.0.251 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

pager lines 24

mtu inside 1500

mtu OUTSIDE 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (inside) 1 10.210.0.0 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 41.65.216.185 1

<--- More --->

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

<--- More --->

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:c2975e3f70cdf88443a2ec40ff6d3828

: end

1 Reply 1

Fernando_Meza
Level 7
Level 7

Hi,

You most likely need to enable icmp inspect in order to get icmp through the firewall. This is disabled by default

hostname(config)# policy-map global_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect icmp

hostname(config-pmap-c)# exit

You should be able to connect to the Internet though (of course assuming your DNS settings are correct.

I hope it helps .. please rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: