Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

unable to ping outside interface of ASA

 

Hello All,

I build a small GNS lab,all my internal devices are pinging well on the same subnet,however when i try to reach another subnet via ASA its giving me unreachable icmp mesg.

as per the attached topology iam unable to reach outside interface of ASA from R1.

 

Any help would be appreciated.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Hi, You seem to have the ICMP

Hi,

 

You seem to have the ICMP Inspection configured so thats fine.

 

I am not sure what this "route" configurations purpose is

 

route outside 10.10.10.2 255.255.255.255 192.168.1.1 1

 

You can remove this from the configuration

 

You seem to have configured a Static NAT for some internal host. Is this Static NAT for the R1?

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This does a NAT for some internal IP address and uses a NAT IP address that belongs to the "outside" interface subnet. This should mean that atleast this internal host should be able to reach the ISP Router R5 IP address without needing any additional routing configurations on the ISP Router.

 

So is the IP address 192.168.2.10 the IP address of the R1? Or as you say the PCs.

 

- Jouni

 

Super Bronze

Hi, The main problem here are

Hi,

 

The main problem here are these things

 

You have configured the subnet 10.10.10.0/30 between the ASA and the ISP R5. This means the subnet contains addresses between 10.10.10.0 - 10.10.10.3. Of these addresses 10.10.10.0 and 10.10.10.3 are not used as they are subnet and broadcast address. IP address 10.10.10.1 is configured on ASA interface and IP address 10.10.10.2 is configured on the ISP R5.

 

On the ASA you have configured the following Static NAT

 

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This basically tells the ASA to translate the internal IP address 192.168.2.10 to external IP address 10.10.10.2. This does not make sense as IP address 10.10.10.2 is configured on the ISP R5. The IP address is used both on ASA and on ISP R5 and this naturally can not work.

 

I would therefore suggest that you change the subnet mask on the ASA and ISP R5 to /24 (255.255.255.0) and remove the existing Static NAT and replace it with this for example

 

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

 

Then you could try to ping 10.10.10.2 from R1

 

- Jouni

30 REPLIES
Super Bronze

Hi, Which side of the ASA is

Hi,

 

Which side of the ASA is the "outside" ? Which ASA interfaces IP address are you trying to ping?

 

Notice that the users/device has to be behind the interface which it tries to ping to be able to get a reply. You can not ping the ASA interface IP address if you are doing the ping from behind a different ASA interface.

 

So in your case if for example the "outside" interface is the "e1" then you can not ping it from R1. Only from R5 as its behind that ASA interface.

 

If the device is behind the correct interface then by default the ASA should reply to the ICMP to my understanding. You can always add the command

 

icmp permit any outside

 

This would allow all ICMP on the interface. In an actual network environment the above command would probably not be ideal to use.

 

Also you should make sure that the ASA and all the Routers in between have the necesary routing information so that the ICMP can go through.

 

Hope this helps :)

 

PS. Did you manage the solve problems related to ASDM in your other post?

New Member

Thanks Jouni for the reply

Thanks Jouni for the reply,

yes e1 is the outside interface of the ASA.

In my topology R1 is a user PC which is trying to reach the outside network i.e R5.

How can i allow R1 to reach R5 if as per you its not possible.

 

p.s well for the asdm issue i have to go to my other office....will definitely let u know

 

Thanks for ur help

Super Bronze

Hi, Ok, if "e1" is the

Hi,

 

Ok, if "e1" is the "outside" then no device behind the "e0" interface will be able to ping the "outside" interface. The only limiting factor here is simply the thing I mentioned. The device/host doing the ping must be located behind the interface that its trying to ping.

 

To allow ICMP from R1 to R5 should not require much (if any) configurations on the ASA other than the normal interface settings.

 

Its hard for me to say that the problem might be if you cannot ICMP from the R1 to R5 without seeing the configurations. I would suggest checking routing first. Make sure that R1 has a route for the IP address on R5 that you are trying to ping. This might use default route unless your lab simply uses specific static routes. Similiarly you should check on R5 that it has the route towards the R1 address where the ping is coming from. Notice that the devices use the closest interface towards the destination IP address as the source for the ping so that is the address for which you should check routes in between and at the destination device.

 

After going through the routing then there is naturally the big question with the ASA configurations.

 

Does it use interface ACLs that could block the traffic?  If no ACLs are in use on the ASA interfaces then the "security-level" determines which direction connections can be initiated. Users behind the interface with the higher "security-level" interface can connect to any destination behind any lower "security-level" interface. As I said, if ACLs are in use on the interfaces then the "security-level" does not matter but traffic has to be allowed in the interface ACL instead.

 

 

Is the ASA doing NAT between its interfaces as this could affect the possibility to connect between the Routers. If there is any Dynamic PAT configurations between the ASA interfaces then it means that connections can be initiated only from one end. (As Dynamic translations dont enable bidirectional connection initiation)

 

 

Do you have "inspect icmp" and "inspect icmp error" configured under the "policy-map" configurations?

 

You can use the following command to check if those are enabled

 

show run policy-map

 

If you can not see the "inspect icmp" configurations there you should add them there. Go to the right configuration mode (under which the existing "inspect" commands are located) and enter the commands.

 

Above are some things to check.

 

Hope I made any sense and hope it helps :)

 

- Jouni

New Member

Thanks for your help,In my

Thanks for your help,

In my scenario R1 is a PC with no ip routing configured and iam considering R5 as the ISP router on which i have only assigned ip address on the interface facing towards the ASA,assuming iam not having no privelige on R5.What iam trying to achieve is how a user at R1 reaches the isp router.

I have static routing configured on every device.

Kindly find the ASA config below,

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any host 10.10.10.2 echo
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255
access-group 101 in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
route outside 10.10.10.2 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:840e8d7a27f16c9094388b697a7894fb
: end

 

Let me know if you need any other device config.

 

Thanks

 

Super Bronze

Hi, You seem to have the ICMP

Hi,

 

You seem to have the ICMP Inspection configured so thats fine.

 

I am not sure what this "route" configurations purpose is

 

route outside 10.10.10.2 255.255.255.255 192.168.1.1 1

 

You can remove this from the configuration

 

You seem to have configured a Static NAT for some internal host. Is this Static NAT for the R1?

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This does a NAT for some internal IP address and uses a NAT IP address that belongs to the "outside" interface subnet. This should mean that atleast this internal host should be able to reach the ISP Router R5 IP address without needing any additional routing configurations on the ISP Router.

 

So is the IP address 192.168.2.10 the IP address of the R1? Or as you say the PCs.

 

- Jouni

 

New Member

 Thanks Jouni for the reply

 

Thanks Jouni for the reply,though ur every reply is correct I clicked the correct answer too early,anyways,

as per your suggestion I removed the route outside command.

you are right 192.168.2.10 is the ip address of R1 (pc) and the static nat purpose was to allow this host to reach the isp router i.e R5.

iam still not able to reach R5,

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

 

Thanks

Super Bronze

Hi, Seems to me to be a

Hi,

 

Seems to me to be a routing problem still. As I suggested before go through the all the devices and on each device make sure that there is always a route for the source address of the ping and the destination address of the ping.

 

Seems like you are missing a route somewhere. Make sure that there are no typos in the static routes for example.

 

- Jouni

New Member

 plz find the routing table

 

plz find the routing table of each device:

L3 switch:

===

L3switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C    192.168.2.0/24 is directly connected, Vlan2
S*   0.0.0.0/0 [1/0] via 192.168.2.1

 

R4 Router:

===

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
S       10.10.10.0 [1/0] via 192.168.1.1
C    192.168.1.0/24 is directly connected, Ethernet1/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0

 

ASA:

====

ciscoasa# SH ROUte

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

C    10.10.10.0 255.255.255.252 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, inside

====

As i told u earlier that  i have not done any sort of configuration on the ISP Router (R5),let me know if something needs to be done on that as well.

 

Thanks

Super Bronze

Hi, ASA has the requires

Hi,

 

ASA has the required routes, even though the default route pointing to internal network is not typical but then again this is a lab network.

 

R4 connected to ASA seems to have the routes also and it has the subnet 192.168.2.0/24 directly connected.

 

Now my confusion is with the fact that the topology picture lists 2x L3 switches. Are we missing one L3 switches configuration? Is the missing device also missing the required routing information?

 

It seems to me that the R4 is already directly connected to the subnet 192.168.2.0/24 and therefore there should not be devices routing between R1 and R4. I mean that there should be a L2 link between R4 and R1 atleast with regards to the connection from R4 port FastEthernet0/0. On the switch it seems to be Vlan ID 2? So that should go all the way from the port connected to the R4 F0/0 to R2 port F1/0

 

- Jouni

 

EDIT: So many typos

New Member

 yes ur right the other L3

 

yes ur right the other L3 switch which u see in the topology has been used as an L2 switch only to bypass the Vlan information.

Your observation is right.

Now iam wondering since R1 is able to reach ASA but not beyond that so do we need to configure any static route which would allow 192.168.2.0/24 network to reach R5 on ASA.

Thanks 

Super Bronze

Hi, I just now noticed that

Hi,

 

I just now noticed that you tried to ping the IP address 10.10.10.2 from the R1. You are pinging the NAT IP address of the host where you are pinging from.

 

What is the IP address on the ISP R5? You should be pinging that IP address. Though considering that your subnet mask is /30 on the link between ASA and R5 there does not really seem to be many free IP addresses. Could you maybe reconfigure the network mask on ASA and R5 for their link?

 

- Jouni

New Member

 yes 10.10.10.2 is the nat

 

yes 10.10.10.2 is the nat address as well as the ip address of the R5 link connected to the ASA.

I reconfigured the subnet mask both on ASA and R5 and changed to /24.

iam still not able to ping:now i notice packet drops instead of unreachable icmp mesgg.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Super Bronze

Hi, What I meant with the

Hi,

 

What I meant with the thing is that the pinging to the NAT IP address of the R1 makes no sense.

 

You said you were trying to ping the R5 so in that case the IP address 10.10.10.2 has nothing to do with R5 as its not configured there or atleast should not be since its configured on the ASA.

 

The IP address 10.10.10.2 is the IP address with which the R1 is visible to the ISP Router R5. So what is the IP address configured on the R5 that you should be pinging?

 

- Jouni

 

 

 

 

New Member

 Now iam confued,10.10.10.2

 

Now iam confued,

10.10.10.2 is the ip address configured on R5 and 10.10.10.1 is configured on outside interface of ASA.

Now iam not sure whether the static Nat command which i have configured is correct or not.

R5#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.10.10.2      YES manual up                    up

 

======

ciscoasa# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up
Ethernet0/1                10.10.10.1      YES manual up                    up

iam trying to ping from R1 to ethernet0/0 of R5.

Thanks

Super Bronze

Hi, The main problem here are

Hi,

 

The main problem here are these things

 

You have configured the subnet 10.10.10.0/30 between the ASA and the ISP R5. This means the subnet contains addresses between 10.10.10.0 - 10.10.10.3. Of these addresses 10.10.10.0 and 10.10.10.3 are not used as they are subnet and broadcast address. IP address 10.10.10.1 is configured on ASA interface and IP address 10.10.10.2 is configured on the ISP R5.

 

On the ASA you have configured the following Static NAT

 

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This basically tells the ASA to translate the internal IP address 192.168.2.10 to external IP address 10.10.10.2. This does not make sense as IP address 10.10.10.2 is configured on the ISP R5. The IP address is used both on ASA and on ISP R5 and this naturally can not work.

 

I would therefore suggest that you change the subnet mask on the ASA and ISP R5 to /24 (255.255.255.0) and remove the existing Static NAT and replace it with this for example

 

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

 

Then you could try to ping 10.10.10.2 from R1

 

- Jouni

New Member

 Excellent I did the same and

 

Excellent I did the same and it works,thanks for ur help.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/64 ms

========

Now plz let me know if i want R5 to reach R1(192.168.2.10) what I need to do on ASA....

Thanks

Super Bronze

Hi, Well there is not much

Hi,

 

Well there is not much you have to do

 

You already have an ACL configured on the ASA that you can use to allow traffic from R5 to R1.

 

access-list 101 extended permit icmp any host 10.10.10.10 echo

 

The existing rule that you have for the destination IP address 10.10.10.2 is not needed.

Since you now should have this Static NAT configured

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

 

It should mean that you can now reach R1 from R5 by pinging the IP address 10.10.10.10. (Unless something on the R1 blocks the traffic for some reason)

 

Hope this helps :)

 

- Jouni

New Member

Hi,Did u mean that i should

Hi,

Did u mean that i should remove access-list 101 extended permit icmp any host 10.10.10.10 echo  from ASA.

I did that but didn't worked,

since now iam able to ping 10.10.10.2 from R1,however i want to reach 192.168.2.10 from R5

 

Thanks

Super Bronze

Hi, No, you could not have

Hi,

 

No, you could not have removed it since it was not configured. I meant you should add the ACL line mentioned. I simply meant that the ACL rule that you have there already is not needed as it has the wrong IP address in the rule.

 

I also mentioned that since you are NATing 192.168.2.10 to 10.10.10.10 towards ISP R5 that means you will have to ping the IP address 10.10.10.10 from ISP R5  if you want to ping R1 (as its visible to the R5 with that NAT IP address)

 

- Jouni

New Member

Alright i understood what u

Alright i understood what u meant.

I added back the acl command as :

access-list 101 extended permit icmp any host 10.10.10.10 echo

Now when i try to ping 10.10.10.10 from R5 iam being denied:

R5#ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

=============

thanks

Super Bronze

Hi, Just to make sure can you

Hi,

 

Just to make sure can you share with us the output of the following commands from the ASA

 

show run access-list

 

show run static

 

show run access-group

 

- Jouni

New Member

 Hi,my apologies i forgot to

 

Hi,

my apologies i forgot to apply the access list when i removed it previously.

so when i applied the access-list the ping worked from R5 to 10.10.10.10

==

R5#ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/48 ms

=========================

Thanks for ur help....appreciate

New Member

Hello Jouni need ur help

Hello Jouni need ur help again,

as per this topology u said no device behind e0 will ping the outside interface of ASA.

I just want to know since the device behind interface e0 have security level of 100 and as per the concept they can reach from higher to lower security level.

Also we have acl allowing them,then why iam not able to ping.

Thanks

Super Bronze

Hi, Its a limitation from the

Hi,

 

Its a limitation from the manufacturer of the device and its software (Cisco). The limitation is that you can not ping or connect to an interface from behind another interface. Users behind "inside" can connect to "inside" interface but not "outside" interface. Users behind "outside" interface can connect to "outside" interface but not "inside" interface and so on. There is no configuration to go around this limitation (except in case of VPN connections)

 

The "security-level" and "access-list" configurations you mention only affect the traffic/connections through the device to some other remote network. These will not have any effect on being able to ping the "outside" interface from behind "inside" interface.

 

Hope this helps :)

 

- Jouni

 

New Member

Thanks for the reply....I

Thanks for the reply....

I configured eigrp on the inside network and i was able to ping outside interface of ASA from L2 switch and vice versa.

However iam not able to ping from the L3 switch which is in the middle of the network.

Thanks

Super Bronze

Hi, If the L2 switch has a

Hi,

 

If the L2 switch has a management IP address from some subnet located behind the ASA "inside" interface then this ping should not be possible.

 

This leads me to believe that the L2 switch might be connected to the network segment on the "outside" interface but I really cant be sure.

 

You could check some configurations on the L2 switch, for example

 

show ip interface brief

 

show run | inc default-gateway

 

- Jouni

New Member

Hi,iam sorry...iam trying to

Hi,

iam sorry...iam trying to ping inside interface of ASA not outside..

however iam not able to ping.

I got ur point why we cannot ping outside interface of ASA.

Thanks

Super Bronze

Hi, Since its a L2 switch we

Hi,

 

Since its a L2 switch we still should know that it has an IP address configured in the proper subnet under the proper Vlan interface and also that it has the "ip default-gateway" configured to point to the gateway address of subnet used in the Vlan interface. Without this configuration it will not be able to reach anything outside its own subnet.

 

I guess in your case you should have a "interface Vlan2" configured on the L2 switch and it should have some IP address from the subnet 192.168.2.0/24 on it. Then it should have the "ip default-gateway" configuration pointing to the gateway IP address of the subnet 192.168.2.0/24

 

- Jouni

New Member

Hi, COMSC29C02#sh ip int

Hi,

 

COMSC29C02#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
Vlan2                  192.168.2.3     YES NVRAM  up                    up

 

ip default-gateway 192.168.2.1 this is alo configured.

192.168.2.1 is the ip address of the router.

Moreover the L2 switch is able to reach the other interface of the router which is connected to the ASA but not the inside interface (192.168.1.1)

COMSC29C02#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
COMSC29C02#
COMSC29C02#
COMSC29C02#
COMSC29C02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

Thanks

 

1707
Views
0
Helpful
30
Replies