Inside Router can't ping ASA or outside ASA

Hi Experts,

I have a router connected to an ASA set up on GNS 3.
So far my ASA can ping all the way up to my hosts but my hosts cannot ping anything past the ASA's internal interface.

I have tried enabling ICMP and set up ACL's but it's not working, so I'm obviously doing something wrong.  Can some please help?  I have been racking my brains for the past few hours.  I've include the running configs of both devices.

PS:  I'm very new to Cisco so it's probably something basic that i'm missing.

Thanks!

ROUTER CONFIG

routerconfig.txt

ASA CONFIG

asaconfig.txt
madstylexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
I can't tell from looking at your configs what would be blocking ICMP. Would you be able to post a zipped up GNS3 project? I'm confident that if I could run your lab locally I could figure out the issue. You would just need to zip the .net file, and the working and configs folder related to the .net file.

Also, where are your hosts that you are trying to ping from/to?
0
madstylexAuthor Commented:
Thanks,

I can't seem to upload the folder, EE is telling me that the extension of one of the files is not allowed, even after i've renamed it.

My hosts are on the 10.6.2.0 /23 subnet.  I can get them to ping up to the inside interface of the ASA 10.6.4.29 /30 but not outside.

My ASA can ping all the way up to the 10.6.2.0 /23 subnet and outside onto the internet.

This GNS also has a the connections to a DMZ but I have disconnected it to try and get the inside and outside working properly first.
0
AkinsdNetwork AdministratorCommented:
Check the security levels of the interfaces on the Asa. The outside interface should be set to zero (untrusted). You should have van access list that permits internal traffic on that interface. You should also have nat statements that translates the traffic. Lastly, your default route should point to the next hop the outside interface connects to
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

madstylexAuthor Commented:
Hi Akinsd,

All my security levels are as they should be.

Here are my IPs

Hosts:  10.6.2.0 /23
Router to inside:  10.6.2.30 /30
Router to ASA:  10.6.4.30 /30
ASA Inside Interface:  10.6.4.29 /30
ASA Outside interface:  192.168.137.2 /24
Gateway (loopback to my machine):  192.168.137.1 /24

i have 2 network objects created:

object network inside-subnet
  subnet 10.6.2.0 255.255.254.0

object network outside-subnet
  subnet 192.168.137.0 255.255.255.0

my nat objects are as follows:

object network inside-subnet
  nat (inside,outside) dynamic interface

object network outside-subnet
  nat (outside,inside) dynamic interface

Here is the ACL that I created:

access-list inside-to-outside extended permit icmp any object outside-subnet echo-reply
access-group inside-to-outside in interface outside

I still can't ping from any of my inside hosts to my ASA outside interface, or out to the internet.  Everything is fine pinging from the ASA itself.
0
arnoldCommented:
Some providers disable ICMP replies to ICMP requests originating from external sources within their network to avoid disclosing information.
0
madstylexAuthor Commented:
Hi Arnold,

Yes this is true, but google doesn't.

I should be receiving replies from 8.8.8.8

When I trace my packets out from my hosts on the internal network I can see that they are going out but not coming back in.
0
arnoldCommented:
Look at whether your ASA has inspect ICMP as well as access-list that might discard echo-reply from the outside interface.

If you use the asa to ping from, do you get a response?
0
madstylexAuthor Commented:
When i ping from my ASA, i get a response from 8.8.8.8

But that would be because it's coming from my outside interface.  Nothing on the inside gets a response.
0
arnoldCommented:
Look at your config dealing with whether you permit ICMP to pass through to the internal interface from the outside.

What access lists do you have that apply on the inside interface out?
0
arnoldCommented:
Is the information. Below correct?
Router to inside:  10.6.2.30 /30
Router to ASA:  10.6.4.30 /30
ASA Inside Interface:  10.6.4.29 /30
ASA Outside interface:  192.168.137.2 /24
Gateway (loopback to my machine):  192.168.137.1 /24

Gateway loopback to your system and the outside interface are on the same IP segment?
Can you create a diagram of your network with all the IPs?

Internet <=> some device <=> 192.168.137.2  asa outside <-> asa inside 10.6.4.29/30 <=> 10.6.4.30/30 router outside <-> router inside 10.6.2.30/30 <=> LAN

Your system connects on which side of the ASA?
0
AkinsdNetwork AdministratorCommented:
Do a traceroute from your ASA with the address on the inside interface as source.

Do the same with a packet trace

traceroute 8.8.8.8 source Inside

packet-tracer input inside icmp 10.6.2.30 8 0 8.8.8.8 detailed

You can swap the other interface addresses as desired.

These 2 should give you an idea where the packets are being blocked.


Other option is to create a capture while running a continuous ping.
Let me know if you need help creating a capture.
- Create an access list allowing source address
- Create a second line allowing destination address
create a capture and map it to the acl created.
0
madstylexAuthor Commented:
I used the cisco ASDM interface to set the rule up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AkinsdNetwork AdministratorCommented:
Did you by any chance view the commands delivered by ASDM?

For future purposes, enable the command line view in preferences. ASDM will show you the command line sysntax to be applied.
0
madstylexAuthor Commented:
I used the cisco GUI to set the rule up.

Nothing I did from the command line worked
0
AkinsdNetwork AdministratorCommented:
I think you misunderstood.

ASDM is GUI. All it does is help you compile the commands to be delivered to the firewall.

See the picture illustrations below.

Figures 1 and 2 shows you how to enable the CLI preview
ASDM1ASDM2
Figures 3 to 5 shows a simple configuration of an access list with a description
ASDM3ASDM4ASDM5
Figure 6 shows you a preview of the code ASDM is going to deliver to the firewall on your behalf.
You would achieve the same results if you typed the codes yourself.
ASDM6
I hope this helps
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.