No traffic through ASA

I can't get any traffic to pass through an ASA.  I can ping 8.8.8.8 from the ASA itself but clients on the inside interface are not able to ping 8.8.8.8 or reach anything on the outside interface.  

A config of the device, and the output of the show route command are attached.

Thanks

Bill
putty.log
LVL 1
labdunnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
try adding the following
access-list outside_access_in extended permit icmp any any echo-reply
It seems echo-reply is not allowed from the outside hence ping is failing.

Also the following will work, if you like to be more specific about the rule to allowing echo-reply to outside interface IP only..
access-list outside_access_in extended permit icmp any interface outside echo-reply
0
labdunnAuthor Commented:
Still no joy.  I should add not only am I not able to get pings through, I can't get other traffic such as a visit to google.com through the ASA either.
0
ffleismaSenior Network EngineerCommented:
can you provide a packet-tracer output, syntax will be as follows:
packet-tracer input inside tcp 172.20.120.2 80 8.8.8.8 80

Open in new window

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

ffleismaSenior Network EngineerCommented:
it doesn't seem to be a problem with the ACL or NAT, we'll be able to tell more when packet-tracer output is provided.

in terms of your test, are you doing a ping to the IP or hostname? if hostname if failing it might be due to DNS not resolving. also make sure that host has gained complete ipconfig through DHCP.
ping 8.8.8.8


you can also test using telnet instead (Pinging fd-fp3.wg1.b.yahoo.com [46.228.47.114]):
telnet 46.228.47.115 80
0
labdunnAuthor Commented:
Neat command.  Attached are the results of that command.  

I also ran that command against our production ASA box that is configured a bit differently.  I see where the paths split.  I left out some of the full configuration of the problem ASA on the original post.  I will post the full config with names and addresses modified for privacy.
Packet-Tracer.log
ASAConfig.log
0
labdunnAuthor Commented:
I'm using 8.8.8.8 as my DNS server so ping google.com won't work.  

Amazing.  telnet 46.228.47.115 80  works!
0
ffleismaSenior Network EngineerCommented:
So it should be isolated down to DNS/DHCP since telnet worked. But I'm leaning more towards DNS issue.
does host have complete IP config? (default gateway, DNS) you might need to ipconfig/release ipconfig/renew to reflect the DNS changes of 8.8.8.8 that you made.

You can also try:
statically IP and configure the DNS to 8.8.8.8 (google public DNS)
0
labdunnAuthor Commented:
The problem was the vpnclient enable command.  I didn't have the other side configured properly and the tunnel was not up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
labdunnAuthor Commented:
Self provided
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.