Cisco ASA NAT not working???
I can't get my ASA NAT to work. I'm testing to configure the firewall for our shop by simulating it on our local network. The ISP router is at 192.168.168.1. The ASA can ping out to the internet but the PC can't.
The PC picks up DHCP OK and can ping 192.168.171.1 (ASA GigabitEthernet0/1), but it can't ping the default gateway ASA 192.168.168.233 (ASA GigabitEthernet0/0) or beyond.
<------------------ASA----
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.168.233 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.171.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif mngt
security-level 0
ip address 10.10.10.13 255.255.255.224
!
icmp permit any mngt
icmp permit any inside
icmp permit any outside
!
object network INSIDE-SUBNET
subnet 192.168.171.0 255.255.255.0
nat (inside,outside) source dynamic INSIDE-SUBNET interface
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5
dhcpd address 192.168.171.3 - 192.167.171.63 inside
dhcpd address 192.168.171.3-192.167.171.
dhcpd address 192.168.171.3-192.168.171.
dhcp dns 192.168.168.1
dhcpd dns 192.168.168.1
dhcpd lease 3000
dhcpd domain cortana.com
dhcpd ping_timeout 20
dhcpd option 3 192.168.171.1
dhcpd option 3 ip 192.168.171.1
dhcpd enable inside
dhcpd option 2 ascii dhcpd_option_2_ascii_examp
<-----------------SWITCH--
---- ASA GigabitEthernet0/1 -> switch on inside of the ASA ----
!
interface FastEthernet0/1
des to_ASA_GigabitEthernet0/1_
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 1,200
switchport mode trunk
!
----PC -> witch on inside of the ASA ----
interface FastEthernet0/2
des PC_to_Switch_on_the_inside
switchport access vlan 200
switchport mode access
The PC picks up DHCP OK and can ping 192.168.171.1 (ASA GigabitEthernet0/1), but it can't ping the default gateway ASA 192.168.168.233 (ASA GigabitEthernet0/0) or beyond.
<------------------ASA----
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.168.233 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.171.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif mngt
security-level 0
ip address 10.10.10.13 255.255.255.224
!
icmp permit any mngt
icmp permit any inside
icmp permit any outside
!
object network INSIDE-SUBNET
subnet 192.168.171.0 255.255.255.0
nat (inside,outside) source dynamic INSIDE-SUBNET interface
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5
dhcpd address 192.168.171.3 - 192.167.171.63 inside
dhcpd address 192.168.171.3-192.167.171.
dhcpd address 192.168.171.3-192.168.171.
dhcp dns 192.168.168.1
dhcpd dns 192.168.168.1
dhcpd lease 3000
dhcpd domain cortana.com
dhcpd ping_timeout 20
dhcpd option 3 192.168.171.1
dhcpd option 3 ip 192.168.171.1
dhcpd enable inside
dhcpd option 2 ascii dhcpd_option_2_ascii_examp
<-----------------SWITCH--
---- ASA GigabitEthernet0/1 -> switch on inside of the ASA ----
!
interface FastEthernet0/1
des to_ASA_GigabitEthernet0/1_
switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 1,200
switchport mode trunk
!
----PC -> witch on inside of the ASA ----
interface FastEthernet0/2
des PC_to_Switch_on_the_inside
switchport access vlan 200
switchport mode access
Also on the inside ASA interface I see you have it connected to a switch trunk port. You will need to create subinterfaces on that inside interface tagging the appropriate vlan and ip address for the associated vlan. Otherwise if you just want vlan 200, just change the switchport it's connected to to an access port in vlan 200.
ASKER
OH I didn't think of FW rules. I should make an "any any" rule for now?
ciscoasa# sh nat translated interface inside
No matching NAT policy found.
I tried this, it works on the ASA but not from the PC...
!
object-group network OUTSIDE-INT-IP
network-object host 192.168.168.233
!
nat (inside,outside) source dynamic INSIDE-SUBNET interface destination static interface OUTSIDE-INT-IP interface
!
ciscoasa(config)# traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 192.168.168.1 0 msec 0 msec 0 msec
2 10.5.88.1 10 msec 10 msec 10 msec
3 100.123.212.40 0 msec 10 msec 10 msec
4 100.121.20.2 10 msec 0 msec 20 msec
5 68.1.4.139 10 msec 10 msec 10 msec
6 209.85.148.120 0 msec
98.182.1.86 20 msec 0 msec
7 108.170.246.65 10 msec
108.170.246.33 10 msec
108.170.240.97 10 msec
8 209.85.251.82 10 msec 10 msec
216.239.49.168 10 msec
9 8.8.8.8 0 msec 110.5.88.1 100 msec 10 msec
ciscoasa(config)# ping 10.5.88.1
Type escape sequence to abort.
Sending 5, 100-byte10.5.88.1 10 ICMP Echos to 10.5.88.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ciscoasa(config)#
NOTE the 10.5.88.1 10 is not on my network and appears to be behind our outside address of 98.175.98.XX, the 10. must be inside the Cox ISP?
ciscoasa# sh nat translated interface inside
No matching NAT policy found.
I tried this, it works on the ASA but not from the PC...
!
object-group network OUTSIDE-INT-IP
network-object host 192.168.168.233
!
nat (inside,outside) source dynamic INSIDE-SUBNET interface destination static interface OUTSIDE-INT-IP interface
!
ciscoasa(config)# traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 192.168.168.1 0 msec 0 msec 0 msec
2 10.5.88.1 10 msec 10 msec 10 msec
3 100.123.212.40 0 msec 10 msec 10 msec
4 100.121.20.2 10 msec 0 msec 20 msec
5 68.1.4.139 10 msec 10 msec 10 msec
6 209.85.148.120 0 msec
98.182.1.86 20 msec 0 msec
7 108.170.246.65 10 msec
108.170.246.33 10 msec
108.170.240.97 10 msec
8 209.85.251.82 10 msec 10 msec
216.239.49.168 10 msec
9 8.8.8.8 0 msec 110.5.88.1 100 msec 10 msec
ciscoasa(config)# ping 10.5.88.1
Type escape sequence to abort.
Sending 5, 100-byte10.5.88.1 10 ICMP Echos to 10.5.88.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ciscoasa(config)#
NOTE the 10.5.88.1 10 is not on my network and appears to be behind our outside address of 98.175.98.XX, the 10. must be inside the Cox ISP?
ASKER
ciscoasa# sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 78, untranslate_hits = 0
ciscoasa#
NAT works from the ASA but not from the PC
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 78, untranslate_hits = 0
ciscoasa#
NAT works from the ASA but not from the PC
Looks like it's hitting the NAT rule. So what about your firewall rule?
ASKER
Changed the switchport it's connected to to an access port in vlan 200 interface connected to the inside ASA interface - but I still can't ping from the PC....
ASKER
I'm googling the FW rule now :-| LOOK at this????
ciscoasa(config)# sh nat translated interface inside
No matching NAT policy found
ciscoasa(config)# sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 78, untranslate_hits = 0
No changes made on the ASA - changed the switchport to mode access....
ciscoasa(config)# sh nat int outside
No matching NAT policy found
ciscoasa(config)# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 240, untranslate_hits = 0
ciscoasa(config)#
ciscoasa(config)# sh nat translated interface inside
No matching NAT policy found
ciscoasa(config)# sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 78, untranslate_hits = 0
No changes made on the ASA - changed the switchport to mode access....
ciscoasa(config)# sh nat int outside
No matching NAT policy found
ciscoasa(config)# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic INSIDE-SUBNET interface
translate_hits = 240, untranslate_hits = 0
ciscoasa(config)#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The closest I can get on the 5520 is the following.
object network INSIDE-SUBNET
nat (inside,outside) source dynamic any interface
Thanks for the reference to Cisco Firewalls and PING - I added the following from it.
policy-map global_policy
class inspection_default
inspect icmp
I still can't ping across interfaces so I'm finding out how to apply ACLs... I'll start with "any any"
object network INSIDE-SUBNET
nat (inside,outside) source dynamic any interface
Thanks for the reference to Cisco Firewalls and PING - I added the following from it.
policy-map global_policy
class inspection_default
inspect icmp
I still can't ping across interfaces so I'm finding out how to apply ACLs... I'll start with "any any"
ASKER
The NAT is working because my PC can browse the internet. I added in and out acls to outside and inside interfaces but I don't get any hit count? I'd like be able to ping for testing, like ping out to the internet....
ACL ADDED TO outside and inside:
access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any
access-list OUTSIDE-OUT extended permit ip any any
access-list OUTSIDE-OUT extended permit icmp any any
access-list OUTSIDE-OUT extended permit tcp any any
access-list INSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit icmp any any
access-list INSIDE-IN extended permit tcp any any
access-list INSIDE-OUT extended permit ip any any
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
nat (inside,outside) source dynamic any interface
access-group OUTSIDE-OUT out interface outside
access-group OUTSIDE-IN in interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5
------------NAT IS WORKING---------
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 133, untranslate_hits = 0
------------------>Chrome Browse to google.com <------------ Browsing Works :-)
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 233, untranslate_hits = 0
--------------------> but ACL shows no hits ?????????????
#sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa#
ciscoasa#
ACL ADDED TO outside and inside:
access-list OUTSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit tcp any any
access-list OUTSIDE-OUT extended permit ip any any
access-list OUTSIDE-OUT extended permit icmp any any
access-list OUTSIDE-OUT extended permit tcp any any
access-list INSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit icmp any any
access-list INSIDE-IN extended permit tcp any any
access-list INSIDE-OUT extended permit ip any any
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit tcp any any
nat (inside,outside) source dynamic any interface
access-group OUTSIDE-OUT out interface outside
access-group OUTSIDE-IN in interface outside
access-group INSIDE-IN in interface inside
access-group INSIDE-OUT out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.168.1 5
------------NAT IS WORKING---------
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 133, untranslate_hits = 0
------------------>Chrome Browse to google.com <------------ Browsing Works :-)
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 233, untranslate_hits = 0
--------------------> but ACL shows no hits ?????????????
#sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa#
ciscoasa#
I see hits:
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=0) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=301) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=301) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=0) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ASKER
Well what ever I did, traceroute now works from my PC but ping still does not work.
debug icmp trace
logging monitor debug
logging enable
------------------------PC
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=239 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=239 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=240 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=240 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=241 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=241 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=242 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=242 len=32
------------------------AS
ciscoasa(config)# ping 192.168.171.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.171.5, timeout is 2 seconds:
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
!ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
---------------> PC tracert 8.8.8.8
C:\Users\root>tracert 8.8.8.8
Tracing route to google-public-dns-a.google
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms my.meraki.net [192.168.168.1]
2 7 ms 14 ms 9 ms 100.123.212.40
3 7 ms 8 ms 8 ms 100.121.20.2
4 10 ms 8 ms 8 ms ashbbprj01-ae2.rd.as.cox.n
5 8 ms 9 ms 9 ms 98.182.1.86
6 12 ms 7 ms 8 ms 108.170.246.65
7 8 ms 8 ms 8 ms 216.239.41.201
8 17 ms 10 ms 8 ms google-public-dns-a.google
Trace complete.
C:\Users\root>
ciscoasa(config)#
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=247 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=247 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=248 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=248 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=249 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=249 len=64
AND SO ON . . . . . . . . . . .
----------------------> PC ping to outside ip address
NOTHING ON ASA
debug icmp trace
logging monitor debug
logging enable
------------------------PC
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=239 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=239 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=240 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=240 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=241 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=241 len=32
ICMP echo request from 192.168.171.5 to 192.168.171.1 ID=1 seq=242 len=32
ICMP echo reply from 192.168.171.1 to 192.168.171.5 ID=1 seq=242 len=32
------------------------AS
ciscoasa(config)# ping 192.168.171.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.171.5, timeout is 2 seconds:
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
!ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
ICMP echo request from 192.168.171.1 to 192.168.171.5 ID=713 seq=17104 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ICMP echo reply from 192.168.171.5 to 192.168.171.1 ID=713 seq=17104 len=72
---------------> PC tracert 8.8.8.8
C:\Users\root>tracert 8.8.8.8
Tracing route to google-public-dns-a.google
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms my.meraki.net [192.168.168.1]
2 7 ms 14 ms 9 ms 100.123.212.40
3 7 ms 8 ms 8 ms 100.121.20.2
4 10 ms 8 ms 8 ms ashbbprj01-ae2.rd.as.cox.n
5 8 ms 9 ms 9 ms 98.182.1.86
6 12 ms 7 ms 8 ms 108.170.246.65
7 8 ms 8 ms 8 ms 216.239.41.201
8 17 ms 10 ms 8 ms google-public-dns-a.google
Trace complete.
C:\Users\root>
ciscoasa(config)#
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=247 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=247 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=248 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=248 len=64
ICMP echo reply untranslating outside:192.168.168.233 to inside:192.168.171.5
ICMP echo request from inside:192.168.171.5 to outside:192.168.168.1 ID=1 seq=249 len=64
ICMP echo request translating inside:192.168.171.5 to outside:192.168.168.233
ICMP echo reply from outside:192.168.168.1 to inside:192.168.168.233 ID=1 seq=249 len=64
AND SO ON . . . . . . . . . . .
----------------------> PC ping to outside ip address
NOTHING ON ASA
ASKER
Yes there are IP hits but no ICMP hits ??????
ASKER
OH :-) I just read this: Since the Cisco ASA acts as a Security appliance, it usually does not let you see when the packet goes across to it, it is a security measure, so this is the way we can make this to function as you are looking for. If you have another question please let me know!
So I tested pinging 8.8.8.8 from my PC and it works :-) I don't know what I did but I can now ping everything but the outside interface ip address.
C:\Users\root>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 12ms, Average = 10ms
C:\Users\root>
!!!!!!!!!!!!!!!!!!!!!!!!!!
There are no ICMP hits in the ACL because IP is the first rule, and ICMP is IP !!!!!!!!!!! Boy I'm a dummy.
ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=42) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=1420) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=1432) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=21) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa(config)#
So I tested pinging 8.8.8.8 from my PC and it works :-) I don't know what I did but I can now ping everything but the outside interface ip address.
C:\Users\root>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=12ms TTL=252
Reply from 8.8.8.8: bytes=32 time=8ms TTL=252
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 12ms, Average = 10ms
C:\Users\root>
!!!!!!!!!!!!!!!!!!!!!!!!!!
There are no ICMP hits in the ACL because IP is the first rule, and ICMP is IP !!!!!!!!!!! Boy I'm a dummy.
ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 3 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit ip any any (hitcnt=42) 0x03aa8b7f
access-list OUTSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x2d9fa831
access-list OUTSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x988e8549
access-list OUTSIDE-OUT; 3 elements; name hash: 0x2fb3cebb
access-list OUTSIDE-OUT line 1 extended permit ip any any (hitcnt=1420) 0x85562ffc
access-list OUTSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0xf4c12f3b
access-list OUTSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0xdb94916e
access-list INSIDE-IN; 3 elements; name hash: 0xf1656621
access-list INSIDE-IN line 1 extended permit ip any any (hitcnt=1432) 0xece2599d
access-list INSIDE-IN line 2 extended permit icmp any any (hitcnt=0) 0x5cfc8e4a
access-list INSIDE-IN line 3 extended permit tcp any any (hitcnt=0) 0x8be220e6
access-list INSIDE-OUT; 3 elements; name hash: 0x55692ef1
access-list INSIDE-OUT line 1 extended permit ip any any (hitcnt=21) 0x91f5358c
access-list INSIDE-OUT line 2 extended permit icmp any any (hitcnt=0) 0x121fd7eb
access-list INSIDE-OUT line 3 extended permit tcp any any (hitcnt=0) 0x19534f9c
ciscoasa(config)#
Haha, well you see I didn't respond after my post highlighting the hits. I figured you would figure it out..lol!
ASKER
I guess that it is normal that the ASA will not ping the outside ip address. Once it is connected to the ISP static external ip address, I guess that all you want to be able to do is ping the external address, not the outside port.... So all is good.
Now I have to put int the PAT rules for our external clients to access our services. I've built a Linux box with several VMs running various things like sql and Apache. So I'll have several address/port applications to PAT to and test.
I'm sure that I'll be back.
Soulja and Pete-Long have been a terrific help setting up my ASA firewall. Many thanks for their help.
Now I have to put int the PAT rules for our external clients to access our services. I've built a Linux box with several VMs running various things like sql and Apache. So I'll have several address/port applications to PAT to and test.
I'm sure that I'll be back.
Soulja and Pete-Long have been a terrific help setting up my ASA firewall. Many thanks for their help.
ASKER
Soulja and Pete-Long have been a terrific help setting up my ASA firewall. Many thanks for their help.
Open in new window
Aslo do you have firewall rules created to allow access out to the internet or are you using default security level flow?