Can't ping anything on the internet or DMZ

I am desperately trying to put my Cisco ASA 5505 up to accept ping requests from the Internet and my DMZ. On my LAN, I have some monitoring software running using ping to see if various machines are running (both physical and virtual machines). It is therefore very important that I can use ping anywhere on my LAN and DMZ as well as the Internet.
Right now, I only get a timeout message. What do I need in my setup?

This is my running config:
ASA Version 9.0(4)26
!
hostname myFW5505
domain-name mydomain.dk
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!            
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 109.xxx.yyy.131 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mydomain.dk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside-subnet
 subnet 192.168.1.0 255.255.255.0
object network dmz-subnet
 subnet 172.168.1.0 255.255.255.0
object network host-web-http
object network EXT_WEB
 host 109.xxx.yyy.131
object-group network rfc3330-subnets
 description Group of all rfc3330 subnets incl private and special use
 network-object 0.0.0.0 255.0.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 14.0.0.0 255.0.0.0
 network-object 24.0.0.0 255.0.0.0
 network-object 39.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 128.0.0.0 255.255.0.0
 network-object 169.254.0.0 255.255.0.0
 network-object 172.16.0.0 255.240.0.0
network-object 191.255.0.0 255.255.0.0
 network-object 192.0.0.0 255.255.255.0
 network-object 192.0.2.0 255.255.255.0
 network-object 192.88.99.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
 network-object 198.18.0.0 255.254.0.0
 network-object 223.255.255.0 255.255.255.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0
object-group network WEB_SERVERS
 network-object host 172.16.1.20
object-group network MAIL_SERVERS
 network-object host 172.16.1.30
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group service MAIL_SERVICES tcp
 port-object eq smtp
access-list HTTP_TO_DMZ extended deny ip object-group rfc3330-subnets any
access-list HTTP_TO_DMZ extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES
access-list HTTP_TO_DMZ extended permit tcp any object-group MAIL_SERVERS object-group MAIL_SERVICES
access-list HTTP_TO_DMZ extended permit icmp any any
access-list HTTP_TO_DMZ extended permit ip any any
access-list MAIL_TO_DMZ extended deny ip object-group rfc3330-subnets any
access-list MAIL_TO_DMZ extended permit tcp any object-group MAIL_SERVERS object-group MAIL_SERVICES
access-list MAIL_TO_DMZ extended permit ip any any
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
ip audit name INFOTEST info action alarm reset
ip audit name ATTACKTEST attack action alarm reset
ip audit interface outside INFOTEST
ip audit interface outside ATTACKTEST
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network EXT_WEB
 nat (any,any) static dmz-subnet
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 109.xxx.yyy.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 dmz
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0

dhcpd auto_config outside
dhcpd option 3 ip 172.16.1.1
!
dhcpd dns 192.168.1.10 192.168.1.11 interface inside
dhcpd domain mydomain.dk interface inside
!
dhcpd address 172.16.1.180-172.16.1.199 dmz
dhcpd domain mydomain.dk interface dmz
dhcpd enable dmz
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 185.206.224.136 source outside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Thanks in advance

PS: If you find any pitfalls in my configuration, please let me know.
Søren SjøstrømIT-Administrator/CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Is it just me or did you just post your password to your firewall?
Søren SjøstrømIT-Administrator/CEOAuthor Commented:
Ups.. Well, It's encrypted but I change it right away :)
Alex GreenProject Systems EngineerCommented:
Just an idea :-)
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

David Leon LowesSr. Cloud Integration Eng.Commented:
I see your DMZ is set to use internal IP addresses (172.16.1.180/20) to have it accessible from the Internet your should put public IP addresses (unless you are performing DNAT == one to one external to Internal nat)
David Leon LowesSr. Cloud Integration Eng.Commented:
Pete LongTechnical ConsultantCommented:
You might want to remove these

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any

Other than that the config looks fine? Are your test machines using their own client firewall perchance?

Pete
WissamSenior Network EngineerCommented:
It may be necessary to allow the ASA to communicate via ICMP with any outside host:
 
icmp permit any outside
 
This is just like allowing ssh access to the ASA: it is not sufficient to allow ssh in the access-lists for that, you have to allow it with a seperate command like this:
 
ssh x.x.x.x n.n.n.n outside
 
It's just the same for icmp.
Pete LongTechnical ConsultantCommented:
Sorry Buddy thats just not true, that command dictates how an ASA interface behaves when it gets an ICMP packet directed at an interface.

You don't even need to allow ICMP outbound for pings to work, if you allow IP any any outbound, ping will work (providing you have icmp inspected in your policy-map). I didnt believe that either when I got told that so I had to test it to make sure :)

See
Cisco Firewalls and PING
WissamSenior Network EngineerCommented:
Just to understand your point

I am desperately trying to put my Cisco ASA 5505 up to accept ping requests from the Internet and my DMZ.

You want to ping the ASA from the internet? The ping will be targeting the ASA ip, and the ASA itself to reply to pings?
If so then check my post
Otherwise sorry for missunderstanding your point
Søren SjøstrømIT-Administrator/CEOAuthor Commented:
Thanks for all the replies. I have made some changes in the configuration. Running config shown below.

But unfortunately, I still can not ping any host on the internet or in my DMZ from inside LAN. If I try to send a ping from my workstation to eg 8.8.8.8 or a host in my DMZ, I always get a 'Request timeout for icmp_seq' message.

Result from 'packet-tracer input inside icmp 192.168.1.108 8 0 8.8.8.8' command:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.108/0 to 109.xxx.yyy.131/11597

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 94504, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Open in new window


Result from 'packet-tracer input inside icmp 192.168.1.108 0 0 8.8.8.8' command:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Open in new window


I have no clue about the reason for the error message.

Result from 'packet-tracer input inside icmp 192.168.1.108 8 0 172.16.1.5' command:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.1.0      255.255.255.0   dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 94898, packet dispatched to next module
              
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Open in new window


Result from 'packet-tracer input inside icmp 192.168.1.108 0 0 172.16.1.5' command:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.1.0      255.255.255.0   dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 95057, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Open in new window


Running config:
hostname myFW5505
domain-name mydomain.dk
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!             
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 109.xxx.yyy.131 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0 
!
dns server-group DefaultDNS
 domain-name mydomain.dk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside-subnet
 subnet 192.168.1.0 255.255.255.0
object network dmz-subnet
 subnet 172.168.1.0 255.255.255.0
object network host-web-http
object network webserver-external-ip
 host 109.xxx.yyy.131
object network mailserver-external-ip
 host 109.xxx.yyy.131
object network webserver
 host 172.16.1.20
object network mailserver
 host 172.16.1.30
object-group network rfc3330-subnets
 description Group of all rfc3330 subnets incl private and special use
 network-object 0.0.0.0 255.0.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 14.0.0.0 255.0.0.0
 network-object 24.0.0.0 255.0.0.0
 network-object 39.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 128.0.0.0 255.255.0.0
 network-object 169.254.0.0 255.255.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 191.255.0.0 255.255.0.0
 network-object 192.0.0.0 255.255.255.0
 network-object 192.0.2.0 255.255.255.0
 network-object 192.88.99.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
 network-object 198.18.0.0 255.254.0.0
 network-object 223.255.255.0 255.255.255.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0
object-group network WEB_SERVERS
 network-object host 172.16.1.20
object-group network MAIL_SERVERS
 network-object host 172.16.1.30
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group service MAIL_SERVICES tcp
 port-object eq smtp
access-list dmz_access_in extended permit icmp any any 
access-list dmz_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended deny ip object-group rfc3330-subnets any 
access-list outside_access_in extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES 
access-list outside_access_in extended permit tcp any object-group MAIL_SERVERS object-group MAIL_SERVICES 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
ip audit name INFOTEST info action alarm reset
ip audit name ATTACKTEST attack action alarm reset
ip audit interface outside INFOTEST
ip audit interface outside ATTACKTEST
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!             
object network obj_any
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver-external-ip
 nat (any,any) static dmz-subnet
object network mailserver-external-ip
 nat (any,any) static dmz-subnet
object network webserver
 nat (dmz,outside) static interface service tcp www www 
object network mailserver
 nat (dmz,outside) static interface service tcp smtp smtp 
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 109.xxx.yyy.129 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 dmz
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0

dhcpd auto_config outside
dhcpd option 3 ip 172.16.1.1
!             
dhcpd dns 192.168.1.10 192.168.1.11 interface inside
dhcpd domain mydomain.dk interface inside
!
dhcpd address 172.16.1.180-172.16.1.199 dmz
dhcpd domain mydomain.dk interface dmz
dhcpd enable dmz
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 185.206.224.136 source outside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 

Open in new window


TIA
aamodtCommented:
Dumb question but can you reach internet from firewall ? from the outside interface? guess you tested  from inside/dmz interface from before.
Seems like the route/NAT'ing is fine now.  So maybe the issue is somewhere else on the access?
Pete LongTechnical ConsultantCommented:
Drop-reason: (nat-xlate-failed) NAT failed

Thats Odd?

Take these out

nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
Søren SjøstrømIT-Administrator/CEOAuthor Commented:
I have now removed the suggested NAT rules, but with no luck. I still can´t  ping anything. And the 'packet-tracer input inside icmp 192.168.1.108 0 0 8.8.8.8' command continues to fail.
Benjamin Van DitmarsSr Network EngineerCommented:
What license is there in youre 5505 ? with a base license the third vlan (interface) is only lan <-> dmz or wan <-> not both. for that you need sec plus license on the box.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Søren SjøstrømIT-Administrator/CEOAuthor Commented:
Thanks for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.