Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Can't ping outside interface from Internet

I have an ASA 5505 with the latest software. I had this up and running the other day and suddenly it stopped responding to pings and VPN connections. I have changed nothing in the config. 

In the log I can see the pings come in but it just says "built inbound ICMP connection..." and "teardown ICMP connection". No errors. 

 

I am completely baffled by this one.... any ideas?
Thanks

8 REPLIES

Hi , check for ICMP

Hi ,

 check for ICMP configuration , if any configured denying on outside interface . 

check for routing , when you say VPN connection and Ping stops working suspecting route missing for reverse connection .

show route 

 

HTH

sandy

New Member

I have attached the config.

I have attached the config. The part I don't understand is why this is happening if I didn't change anything in the config. It was working on Tuesday and now it doesn't. 

Thanks

Hall of Fame Super Silver

Your configuration line: 

Your configuration line: 

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

Would seem to point to a private network and not to the expected public IP of your ISP router. With that in place, the ASA does not know a valid gateway to direct the icmp echo reply back to.

New Member

10.1.10.1 is the comcast

10.1.10.1 is the comcast gateway. It is a private address but the ASA is connected to it. 

And it was working with this setting the other day.

Thanks

Silver

Please go ahead and remove

Please go ahead and remove this NAT statement and then place it back in:

 

nat (inside,outside) source dynamic any interface
Value our effort and rate the assistance!
Silver

I also work at TAC so if you

I also work at TAC so if you want we can webex but this could be related to the device in front of the ASA that is probably doing the NAT.

 

FYI: You have the PAT NAT statement above the NAT exemption for your VPN related traffic so you need to remove:

nat (inside,outside) source dynamic any interface

and then add it back so it ends on line 2.

 

Juan Mora

Security Technical Lead

Email: jumora@Cisco.com

Desk:770-702-6300 Ext: 4863

Value our effort and rate the assistance!
New Member

I will try that and let you

I will try that and let you know. I may not be able to get to it tomorrow though.

Thanks!

Silver

Post the configuration. This

Post the configuration. This could be because of a NAT or as indicated an ICMP command.

Value our effort and rate the assistance!
1028
Views
0
Helpful
8
Replies
CreatePlease to create content