No traffic through ASA

I can't get any traffic to pass through an ASA.  I can ping from the ASA itself but clients on the inside interface are not able to ping or reach anything on the outside interface.  

A config of the device, and the output of the show route command are attached.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
try adding the following
access-list outside_access_in extended permit icmp any any echo-reply
It seems echo-reply is not allowed from the outside hence ping is failing.

Also the following will work, if you like to be more specific about the rule to allowing echo-reply to outside interface IP only..
access-list outside_access_in extended permit icmp any interface outside echo-reply
labdunnAuthor Commented:
Still no joy.  I should add not only am I not able to get pings through, I can't get other traffic such as a visit to through the ASA either.
ffleismaSenior Network EngineerCommented:
can you provide a packet-tracer output, syntax will be as follows:
packet-tracer input inside tcp 80 80

Open in new window

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

ffleismaSenior Network EngineerCommented:
it doesn't seem to be a problem with the ACL or NAT, we'll be able to tell more when packet-tracer output is provided.

in terms of your test, are you doing a ping to the IP or hostname? if hostname if failing it might be due to DNS not resolving. also make sure that host has gained complete ipconfig through DHCP.

you can also test using telnet instead (Pinging []):
telnet 80
labdunnAuthor Commented:
Neat command.  Attached are the results of that command.  

I also ran that command against our production ASA box that is configured a bit differently.  I see where the paths split.  I left out some of the full configuration of the problem ASA on the original post.  I will post the full config with names and addresses modified for privacy.
labdunnAuthor Commented:
I'm using as my DNS server so ping won't work.  

Amazing.  telnet 80  works!
ffleismaSenior Network EngineerCommented:
So it should be isolated down to DNS/DHCP since telnet worked. But I'm leaning more towards DNS issue.
does host have complete IP config? (default gateway, DNS) you might need to ipconfig/release ipconfig/renew to reflect the DNS changes of that you made.

You can also try:
statically IP and configure the DNS to (google public DNS)
labdunnAuthor Commented:
The problem was the vpnclient enable command.  I didn't have the other side configured properly and the tunnel was not up.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
labdunnAuthor Commented:
Self provided
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.