Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Help with PAT, 5512-X, 8.6(1)2

I have a new ASA 5512-X hooked up to a Clear Router (set to passthrough) on the Outside and a Netgear switch on the Inside.

I can ping internet addresses from the ASA console but not from devices on the Inside. Looks like a PAT issue... or routing. Echos going out, replies not coming back in.

Packet Tracer says an ICMP echo outbound passes.....

What am I missing??

ciscoasa# show running-config

: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif inside

security-level 50

ip address 10.200.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

object network InternalNets

subnet 10.200.0.0 255.255.255.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging buffer-size 10000

logging asdm-buffer-size 512

logging monitor informational

logging buffered debugging

logging trap debugging

logging asdm debugging

logging rate-limit 1000 60 level 1

logging rate-limit 1000 60 level 6

mtu management 1500

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network InternalNets

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.200.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd auto_config outside interface management

dhcpd enable management

!

dhcpd address 10.200.0.2-10.200.0.250 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4997430d9f627501b82040ce2bcb2a1b

: end

ciscoasa#

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Help with PAT, 5512-X, 8.6(1)2

Hi,

Try adding

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Or use

fixup protocol icmp

fixup protocol icmp error

Both accomplish the same thing. The latter one is just the old format for the command which the ASA should still accept. Without these the ICMP through the firewall generally fails.

Hope this helps

- Jouni

1 REPLY
Super Bronze

Help with PAT, 5512-X, 8.6(1)2

Hi,

Try adding

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Or use

fixup protocol icmp

fixup protocol icmp error

Both accomplish the same thing. The latter one is just the old format for the command which the ASA should still accept. Without these the ICMP through the firewall generally fails.

Hope this helps

- Jouni

183
Views
0
Helpful
1
Replies
CreatePlease to create content