Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Workstation cannot ping the router on outside interface of firewall.

I have 2 Cisco ASA working in active/standby mode. the active is sitting behind a cisco 3900 router.

IP for the cisco 3900 router is 192.168.1.2

I can successfully ping this ip address from the firewall.

Now when i connect a machine on the inside interface of the firewall, i can ping the firewall which is its gateway with no issues. but i cannot ping the router from the machine. i have the below nat settings too.

Nat (inside) 1 0 0

Global (outside) 1 interface

still i cannot ping the router from the machine which is on the inside of the firewall. the router is on the outside of the friewall.

any suggestions???

Thanks,

Pratik

1 ACCEPTED SOLUTION

Accepted Solutions

Workstation cannot ping the router on outside interface of firew

Hello Pratik.

Please do the following.

-fixup protocol ICMP.

That should do it.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
13 REPLIES

Workstation cannot ping the router on outside interface of firew

Hi Pratik,

You need to allow icmp 'echo-reply'  to inside on ASA outside interface ACL.

hth

MS

New Member

Workstation cannot ping the router on outside interface of firew

so my acl would be

access-list outside_access_in any any eq echo-reply

access-group outside_access_in in interface outside

am i right?

Workstation cannot ping the router on outside interface of firew

It should work. Let us know if you still have any issues.

Thx

MS

New Member

Workstation cannot ping the router on outside interface of firew

It didnt work. Below is my config.

ASA Version 8.2(1)

!

hostname BDS-FA-FW

enable password Fk/FKoeyrw2FML8Z encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.7.1 255.255.255.0 standby 192.168.7.2

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 204.138.112.2 255.255.255.0 standby 204.138.112.4

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2

management-only

!

ftp mode passive

access-list outside_access_in extended permit tcp any any eq echo

pager lines 24

logging asdm informational

mtu outside 1500

mtu management 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface bds-failover GigabitEthernet0/2

failover key *****

failover link bds-failover GigabitEthernet0/2

failover interface ip bds-failover 10.10.1.1 255.255.255.0 standby 10.10.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 204.138.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4ea9a80395ba6903666c9eff68fcfbb3

Workstation cannot ping the router on outside interface of firew

Hello Pratik.

Please do the following.

-fixup protocol ICMP.

That should do it.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Workstation cannot ping the router on outside interface of firew

Julio,

it didnt work. i still get a timeout.i can ping 204.138.112.1 from the firewall. but cannot from the workstation.

my workstation settings are as below.

IP: 192.168.7.10

Subnet: 255.255.255.0

Default Gateway: 192.168.7.1

DNS: 4.2.2.2

I can ping 192.168.7.1. But cannot further.

Workstation cannot ping the router on outside interface of firew

Looks like its something to do with destination IP address any acl on that ? Also meanwhile if you can ping any external IP on internet to see if icmp is passing your firewall ? Ping 4.2.2.2

New Member

Workstation cannot ping the router on outside interface of firew

Ajay,

i cannot ping 4.2.2.2

there is no access list on destination IP 204.138.112.1. It is a cisco 3900 router. I can ping the router with no issues from the firewall. but cannot ping from the workstation which is on the inside of the firewall.

Workstation cannot ping the router on outside interface of firew

Hello Pratik,

Please do the following capture and provide us the capture after you try to ping again:

access-list capin  permit icmp host 192.168.7.10 host 204.138.112.1

access-list capin  permit icmp host 204.138.112.1 host 192.168.7.10

access-list capout permit icmp host 204.138.112.2 host 204.138.112.1

access-list capout permit icmp host 204.138.112.1 host 204.138.112.2

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Please try to ping and provide the following output:

-sh cap capin

-sh cap capout

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Workstation cannot ping the router on outside interface of firew

Julio,

I guess fixup command worked. I can now ping 204.138.112.1 from the workstation.

So I am good on that part. now my other issue is i cannot ping from 4.2.2.2 from this router which is a cisco 3900. can you help in that?

Thanks,

Pratik

Re: Workstation cannot ping the router on outside interface of f

Hello Pratik,

Good to hear that the stateful inspection for the protocol ICMP worked.

Sure, we can help but we will need to see the configuration of the router.

-Do you have any firewall feature configured on the router (CBAC,ZBFW)?

-What is default gateway of your router? Can you ping the default gateway?

-Can you let us know the nat statements you have configured on the router?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Workstation cannot ping the router on outside interface of firew

Julio,

I figured what I was missing from the questions you asked. I was missing a default route on the router. I put that and everything works now.

Thanks a lot for your help!

Pratik

Workstation cannot ping the router on outside interface of firew

Hello,

Great to hear that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1350
Views
0
Helpful
13
Replies
CreatePlease to create content