We help IT Professionals succeed at work.

Cisco ASA 8.3 - Dynamic PAT - cannot ping internet address

Hello,
I'm reconfiguring our Meeting Firewall after migrating from a Cisco PIX 525 to a ASA 5505 (8.3).
I've reconfigured the firewall following Cisco guidelines on the new NAT rules. here following find the relevant part of the config:


object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network ExternalServer
 host 60.247.84.83
object network InternalServer
 host 10.10.0.9
object network Symposium
 subnet 10.10.8.0 255.255.255.0
object network DynSymposium
 host 60.247.84.86
object network obj-10.10.0.0
 subnet 10.10.0.0 255.255.248.0
object network obj-10.10.8.0
 subnet 10.10.8.0 255.255.248.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-205.bin
no asdm history enable
arp timeout 14400
!
object network InternalServer
 nat (inside,outside) static ExternalServer
object network obj-10.10.0.0
 nat (inside,outside) dynamic 60.247.84.84
object network obj-10.10.8.0
 nat (dmz,outside) dynamic DynSymposium
access-group inside_access_in in interface inside
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 60.247.84.81 1

From the server (static NAT) everything works fine.

From the PAT network (10.10.0.0/21):
If I configure the PAT to be a public IP =  nat (inside,outside) dynamic 60.247.84.84
I cannot ping external websites (e.g.: Google)
I can ping always the internal interface (gateway)

If I configure the PAT to use the outside interface =   nat (inside,outside) dynamic interface
I can ping and tracert any external website
I can ping always the internal interface (gateway)

I should probably say that I'm currently connecting from China (some downtime could be due to the infrastructure)

Do you see anything wrong with my configuration?
Is it normal that I cannot ping external websites when I configure a Dynamic PAT?

P.S.: I have attached the full FW configuration (I removed only few lines)

Thanks,
Roberto. ASA-conf.txt
Comment
Watch Question

Istvan KalmarHead of IT Security Division
BRONZE EXPERT
Top Expert 2010

Commented:
Please try:

icmp permit any inside
I looked through the configuration. It looks good.

As already suggested you could try the icmp permit any inside command. I would also suggest you to apply the icmp permit any outside command as well.
Test if it is working. If not, go ahead and remove the icmp permit any outside command for security reasons.

You could also enable the inspection of ICMP traffic in the global policy-map, since this traffic is going through the firewall and not destined to the firewall.

Let me know if it works.

Author

Commented:
Hello,
that did it... I had completely forgotten to add the policy inspectors.
Once I did that and added the icmp outside permit rule (without it the ping fails intermittently), I was able to ping any external website.

Thanks a lot,
Roberto.