How to ping the inside network with Cisco 5505 Firewall

Hi there,
I am having some issues trying to ping the inside network using a Cisco 5505, below I'll post my configuration.
 Any help would be greatly appreciated.

Thanks,
router# sh running-config
: Saved
:
ASA Version 7.2(4)
!
hostname router
domain-name mitre.org
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.131.xxx.xxx 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 128.29.xxx.xxx 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mitre.org
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service web tcp
 description Web Traffic
 port-object eq 8080
 port-object eq www
 port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list v483-cloud-IN extended permit icmp any any
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh
access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group web
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group v483-cloud-IN in interface outside
route outside 0.0.0.0 0.0.0.0 128.29.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 128.29.109.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

username admin password kSXIy6qd1ZTBFL9/ encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:60d9d33d178f732662157806e27a4a27
: end
router#

Open in new window

ETLABAsked:
Who is Participating?
 
krejci_420Connect With a Mentor Commented:
You have access to use the whole 128.29.109.0 network? If the IP in question you tried to add to the static mapping is in use on another device outside of your firewall then the gateway router device will have an ARP conflict with your firewall and the other device. Does the gateway router device (your firewall's default gateway) have any ACLs or filtering? You can start up a packet capture on the ASA to watch for traffic destined for that IP address and verify traffic is reaching your firewall.

access-list capture-test permit ip any host 128.29.109.X
capture capture-test interface outside access-list capture-test real

that will show in real time packets on the outside interface that are destined for that IP in question.
0
 
JFrederick29Commented:
Trying to ping from the ASA to a host on the inside?

If so, add this:

conf t
icmp permit any inside
0
 
RulonACommented:
Hi, where are you trying to ping from?  Are you able to ping the inside host from the ASA itself?  Check the arp table (show arp) and also see if any hits have accrued on the access-lists (show access-list)
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
krejci_420Commented:
Are you trying to ping from the internet/outside to an inside host? If so you'll need to add static mapping entries assigning single outside public IP addresses to single inside IP addresses also known as one to one mappings or nat. If not a little more details will be necessary.
0
 
ETLABAuthor Commented:
All,
I am on a network 128.29.xxx.xxx and they just created another subnet which has been advertised 10.131.xxx.xxx the outside network is 128.29.xxx.xxx and the inside new subnet is 10.131.xxx.xxx What I am trying to reach is the inside 10.131.xxx.xxx from the outside.  inside the cisco 5505 I can ping all the interfaces 128.29.xxx.xxx and the 10.131.xxx.xxx plus a host that is connected to the PIX with an IP of 10.131.xxx.2, but I am unable to reach the 10.131.xxx.2 from the outside.
0
 
krejci_420Commented:
As I indicated you will need to add a static mapping to be able to ping from the internet to an inside host. To be able to add a static mapping you will need additional IP addresses which it looks like you  are on a full class C network. Assuming the entire block has been assigned to you to use then you should be able to use any not yet in use elsewhere.

static (inside,outside) 128.29.xxx.xxx 10.131.xxx.xxx netmask 255.255.255.255
0
 
ETLABAuthor Commented:
Krejci 420:

I tried static (inside,outside) 128.29.xxx.0 10.131.xxx.0 netmask 255.255.255.255 and did not worked.
0
 
krejci_420Commented:
Using .0 is not allowed in most scenarios. The firewall knows that is the "subnet" address. Try using something between .1 and .254 that is not already in use. Note the last octet does not have to be identical on the outside and the inside.

Now if you want to use the whole class C range and map to the internal IP addresses you can use the same static entry as above but then change the netmask number to 255.255.255.0 and it will map all of the IP addresses thru in a one-to-one mapping with that single line.
0
 
ETLABAuthor Commented:
krejci_420,
I tried both ways with no luck.
0
 
krejci_420Commented:
What is happening? Are the commands giving errors or are you just unable to ping thru? You may need to clear the translation table (clear xlate) after putting in the static mapping config.

It may be easier to focus on one single IP.
Add the config obviously replacing the X and Y for unused address on the outside and a real host on the inside. Then you should be good. Obviously need to make sure the inside host is allowing ICMP as well in whatever host firewall software you're using if any and it has a default gateway pointing at the firewall. I presume you've already got the gateway correctly setup but it never hurts to ask and make sure it is not a simple mistake like that.

I'd also recommend enabling logging on the firewall in general but you can enable full debug logging to the buffer which is very verbose but useful in troubleshooting odd issues.
conf t
static (inside,outside) 128.29.x.y 10.131.x.y netmask 255.255.255.255
clear xlate

Open in new window

0
 
ETLABAuthor Commented:
krejci_420,

Here is what I tried:

static (inside,outside) 128.29.109.0 10.131.0.0 netmask 255.255.255.255
clear xlate
And still is not working
0
 
ETLABAuthor Commented:
Krejci_420,

I created an access-list if you see in the configuration that I attach using the command line, but then I created another access-list using the ASDM, Do you think that this might conflict?:

access-list v483-cloud-IN extended permit icmp any any
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh
access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group we
0
 
krejci_420Commented:
From your config in the initial question the ACL looks fine as it is applied via the access-group config.

You cant use a .0 in the IP addresses with a 255.255.255.255 in the netmask for this topology. Use a specific IP for a specific host and try it.

one example:
static (inside,outside) 128.29.109.50 10.131.0.50 netmask 255.255.255.255
0
 
ETLABAuthor Commented:
Krejci_420,

Nope, did not worked.
0
 
ETLABAuthor Commented:
Inconclusive
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.