?
Solved

from inside LAN user are not able to ping outside world with Cisco ASA active-active failover

Posted on 2009-04-16
1
Medium Priority
?
810 Views
Last Modified: 2013-11-05
We have created two context one "context-a" and another one "context-b" in the primary asa5520 and failover is working properly with secondary asa5520 but users can't communicate with the outside . But from Primary ASA's context-a and admin context we are able to ping outside like 4.2.2.2 with outside interface we are able to ping any public ip, (right now we are not using context-b). If we are trying ping from user pc then we are not able to ping to the outside. Right now we are using only one isp link and the gateway is 63.219.7.1. We have attach one pc to primar asa's inside port and given ip to the user pc is 172.16.120.100/24. from pc we are only able to inside ip of the primay asa nothing else.

Admin context:
Inside: 172.16.120.4/24 standby 172.16.120.8
outside: 63.219.7.20 /27 standby 63.219.7.19
DMZ: 192.168.1.8 /24 standby 192.168.1.9
Default gateway of outside: 63.219.7.1

Context-a IP:
Inside: 172.16.120.2/24 standby 172.16.120.5
outside: 63.219.7.30 /27 standby 63.219.7.21
DMZ: 192.168.1.1 /24 standby 192.168.1.12
Default gateway of outside: 63.219.7.1

Total all context from primary asa was replicated to the secondary asa. But we are not able to get internet access from inside zone.
We are trying to trouble shot from asdm's packet tracer where souce ip was inside ip from context-a and destination ip 4.2.2.2 and result output showing packet was blocked by Access-List.
Please give us a solution.
mail-to-expert-170409.txt
0
Comment
Question by:futurenetwings
1 Comment
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 2000 total points
ID: 24172268
Ping is stateless to the firewall, and as such the replies aren't allowed back in by default.  Try to enable icmp inspection and see if you can ping then:

policy-map global_policy
 class inspection_default
   inspect icmp
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question