Cisco ASA - Can't ping out from WAN interface, but can ping in from other devices.
I can't ping out the 'outside' interface of my ASA to my default gateway 172.30.0.10. I can ping the ASA 'outside' interface ip 172.30.0.8 from my router or even when I directly connect a laptop where the laptop has the gateway IP. I tried to open the firewall up fully, but the issue still stands. Can someone please assist?
Gateway of last resort is 172.30.0.10 to network 0.0.0.0
C 172.20.0.0 255.255.255.0 is directly connected, dmz
C 172.20.2.0 255.255.255.0 is directly connected, inside
C 172.20.3.0 255.255.255.0 is directly connected, failover
C 172.30.0.0 255.255.255.0 is directly connected, outside
S 10.35.208.0 255.255.240.0 [1/0] via 172.20.2.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.30.0.10, outside
Result of the command: "sh run"
: Saved
:
ASA Version 8.3(2)
!
hostname ASA
domain-name CUNJ
names
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 100
ip address 172.20.0.10 255.255.255.0 standby 172.20.0.11
!
interface Ethernet0/1
nameif outside
security-level 100
ip address 172.30.0.8 255.255.255.0 standby 172.30.0.9
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.20.2.10 255.255.255.0 standby 172.20.2.11
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name CUNJ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside
subnet 172.20.2.0 255.255.255.0
access-list inside_access_in extended permit ip 10.35.208.0 255.255.240.0 10.35.208.0 255.255.240.0
access-list inside_access_in extended permit ip 172.20.0.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list inside_access_in extended permit ip 172.20.2.0 255.255.255.0 172.20.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip interface outside interface inside
access-list global_access extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging mail informational
mtu dmz 1500
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface dmz
ip verify reverse-path interface management
ip audit name Info-Drop info action alarm drop
ip audit name Attack-Drop attack action alarm drop
ip audit interface outside Info-Drop
ip audit interface outside Attack-Drop
ip audit signature 2004 disable
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover polltime unit msec 200 holdtime 15
failover polltime interface msec 500 holdtime 25
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover 172.20.3.11 255.255.255.0 standby 172.20.3.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source dynamic obj_any interface
nat (inside,inside) source static Inside Inside destination static Inside Inside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 172.30.0.10 1
route inside 10.35.208.0 255.255.240.0 172.20.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Hello.
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
no threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
smtp-server 10.35.208.77
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end
Gateway of last resort is 172.30.0.10 to network 0.0.0.0
C 172.20.0.0 255.255.255.0 is directly connected, dmz
C 172.20.2.0 255.255.255.0 is directly connected, inside
C 172.20.3.0 255.255.255.0 is directly connected, failover
C 172.30.0.0 255.255.255.0 is directly connected, outside
S 10.35.208.0 255.255.240.0 [1/0] via 172.20.2.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.30.0.10, outside
Result of the command: "sh run"
: Saved
:
ASA Version 8.3(2)
!
hostname ASA
domain-name CUNJ
names
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 100
ip address 172.20.0.10 255.255.255.0 standby 172.20.0.11
!
interface Ethernet0/1
nameif outside
security-level 100
ip address 172.30.0.8 255.255.255.0 standby 172.30.0.9
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.20.2.10 255.255.255.0 standby 172.20.2.11
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name CUNJ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside
subnet 172.20.2.0 255.255.255.0
access-list inside_access_in extended permit ip 10.35.208.0 255.255.240.0 10.35.208.0 255.255.240.0
access-list inside_access_in extended permit ip 172.20.0.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list inside_access_in extended permit ip 172.20.2.0 255.255.255.0 172.20.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip interface outside interface inside
access-list global_access extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging mail informational
mtu dmz 1500
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface dmz
ip verify reverse-path interface management
ip audit name Info-Drop info action alarm drop
ip audit name Attack-Drop attack action alarm drop
ip audit interface outside Info-Drop
ip audit interface outside Attack-Drop
ip audit signature 2004 disable
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover polltime unit msec 200 holdtime 15
failover polltime interface msec 500 holdtime 25
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover 172.20.3.11 255.255.255.0 standby 172.20.3.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source dynamic obj_any interface
nat (inside,inside) source static Inside Inside destination static Inside Inside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 172.30.0.10 1
route inside 10.35.208.0 255.255.240.0 172.20.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Hello.
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
no threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
smtp-server 10.35.208.77
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end
So are you trying to ping through the ASA or from the ASA?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Damn, you're too fast for my typing skills....
ASKER
Removing IDS (ip audit) worked.
Can you show the results of the ping command?