Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Cannot ping from inside interface to outside interface

Greetings,

I am new to the Cisco ASA.  I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside.  I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue.  When I ping 4.2.2.2 for example I get:

  Destination host unreachable

Do I need to add a static route from my inside interface to my outside interfaces?               

Here is my configuration.  Please advise. 

: Saved

:

ASA Version 8.2(5)

!

hostname pxasa

enable password <removed> encrypted

passwd <removed> encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address <##.##.##.##> 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address <##.##.##.##> 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 184.16.33.54

access-list outside_nat0_outbound extended permit ip any <##.##.##.##> <##.##.##.##>.0

access-list outside_access_in extended permit tcp <##.##.##.##> <##.##.##.##> <##.##.##.##> <##.##.##.##> eq https

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNIP-Pool <ip removed>-<ip removed> mask <ip removed>.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 <ip removed>

nat (outside) 0 access-list outside_nat0_outbound outside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http <##.##.##.##> <##.##.##.##> inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn pxasa.nullvpn2.predixionsoftware.com

subject-name CN=vpn2.predixionsoftware.com

keypair sslvpnkeypair

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate

    <removed>

  quit

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 10

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

internal-password enable

group-policy SSLGroupPolicy internal

group-policy SSLGroupPolicy attributes

wins-server none

dns-server value 184.16.33.54

vpn-tunnel-protocol svc

default-domain none

address-pools value VPNIP-Pool

group-policy DfltGrpPolicy attributes

dns-server value 184.16.33.54

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server none

dns-server value 184.16.33.54

vpn-tunnel-protocol svc

default-domain none

username Predixion password <removed> encrypted privilege 0

username Predixion attributes

vpn-group-policy DfltGrpPolicy

username cisco password <removed> encrypted

tunnel-group vpn2.predixionsoftware.com type remote-access

tunnel-group vpn2.predixionsoftware.com general-attributes

default-group-policy SSLGroupPolicy

dhcp-server <##.##.##.##>

dhcp-server <##.##.##.##>

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

Everyone's tags (2)
2 REPLIES

ASA 5505 Cannot ping from inside interface to outside interface

Try by adding.. 'inspect icmp' in 'policy-map global_policy' config.

hth

MS

ASA 5505 Cannot ping from inside interface to outside interface

Jeff,

I'm assuming that you're supposed to be natting on this ASA. The nat statement is missing. In addition to what was stated above with the inspect, you'll need to add another nat statement:

global (outside) 1

nat (outside) 0 access-list outside_nat0_outbound outside

nat (inside) 1 0.0.0.0 0.0.0.0

NAT 0 bypasses nat altogether, so I'm not 100% certain what you're trying to accomplish there. You may not need nat on this device at all, but if so add the above lines to see if it helps.

HTH,

John

HTH, John *** Please rate all useful posts ***
4604
Views
0
Helpful
2
Replies