Why can I not ping my host behind the firewall? Cisco asa 5505

firewall cisco nat cisco-asa icmp
8,846

Solution 1

I have found the solution!

Indeed I had to extend my access-list on my outside interface!!!

I have succeeded using ASDM.

First I created a NEW network object for each of my servers. When you create a new object you will be asked for the internal IP address and "this is where the magic happens" you have to set the NAT IP address (the external address) !!!

Secondly I extended my access-list on my outside interface by defining every server and the required service (echo, echo-reply) in the "Public server list". When I performed these 2 steps I was able to ping the server from the internet.

My access-list looks the following now:

access-list OutsideToInside extended permit icmp any4 object SERVER2003 object-group DM_INLINE_ICMP_2 access-list OutsideToInside extended permit icmp any4 object SERVER2002 object-group DM_INLINE_ICMP_1 access-list OutsideToInside extended permit icmp any4 object SERVER2004 object-group DM_INLINE_ICMP_0

object network SERVER2004 nat (inside,outside) static 82.94.xxx.xxx object network SERVER2002 nat (inside,outside) static 82.94.xxx.xxx object network SERVER2003 nat (inside,outside) static 82.94.xxx.xxx

Solution 2

All you configuration looks fine and I can see that you have only allowed desired traffic to your servers using ACL. If you would like to anyone to be able to ping your server on public IP interface, you will need to add below ACL:

access-list OutsideToInside extended permit icmp any any

Or you can choose the servers instead of allowing ping to all/any.

Share:
8,846

Related videos on Youtube

Banks
Author by

Banks

Updated on September 18, 2022

Comments

  • Banks
    Banks over 1 year

    Can anyone please help me to figure out, what in my configuration of the Cisco asa 5505 is wrong or missing? I have multiple host behind my firewall. These hosts run different websites on port 80. I can ping the server from one to another, but I am not able to ping the servers from the Internet. I am using static NAT. Is there a translation issue going on here?

    ========
CISCOASACLOUD# show run
CISCOASACLOUD# show running-config
: Saved
:
ASA Version 9.0(1)
!
hostname CISCOASACLOUD
enable password ************* encrypted
passwd ************* encrypted
names
ip local pool VPN_IP_POOL 10.0.2.50-10.0.2.75 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.2.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 82.94.XX.XX 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.109.104.104
 name-server 194.109.9.99
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VPN_NETWORK
 subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_24
 subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_25
 subnet 10.0.2.0 255.255.255.128
object network SERVER2003_HTTP
 host 10.0.2.104
object network SERVER2003_HTTPS
 host 10.0.2.104
object network SERVER2004_HTTP
 host 10.0.2.105
object network SERVER2004_HTTPS
 host 10.0.2.105
object network SERVER2002_HTTP
 host 10.0.2.103
object network SERVER2002_HTTPS
 host 10.0.2.103
object network SERVER2002_NAGIOS
 host 10.0.2.103
object network SERVER2003_NAGIOS
 host 10.0.2.104
object network SERVER2002_NAGIOS_NSCP
 host 10.0.2.103
object network SERVER2003_NAGIOS_NSCP
 host 10.0.2.104
object network SERVER2004_NAGIOS
 host 10.0.2.105
object network SERVER3001_NAGIOS
 host 10.0.2.202
object network SERVER2001_NAGIOS
 host 10.0.2.102
object network SERVER3001_HTTP
 host 10.0.2.202
object network SERVER3001_HTTPS
 host 10.0.2.202
object network SERVER2004_FTP
 host 10.0.2.105
object network SERVER2004_FTP_TCP
 host 10.0.2.105
object network SERVER2004_FTP_SSL
 host 10.0.2.105
object network SERVER2005_HTTP
 host 10.0.2.106
object network SERVER2005_HTTPS
 host 10.0.2.106
object network SERVER3001_ICMP
 host 10.0.2.201
access-list Default_Tunnel_Group_Name_VPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.102 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp-data
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 990
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.2.0_24 NETWORK_OBJ_10.0.2.0_24 destination static NETWORK_OBJ_10.0.2.0_25 NETWORK_OBJ_10.0.2.0_25 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network SERVER2003_HTTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2003_HTTPS
 nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_HTTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2004_HTTPS
 nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_HTTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2002_HTTPS
 nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_NAGIOS
 nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2003_NAGIOS
 nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2004_NAGIOS
 nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_NAGIOS
 nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2001_NAGIOS
 nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_HTTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER3001_HTTPS
 nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_FTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp ftp ftp
object network SERVER2004_FTP_TCP
 nat (inside,outside) static 82.94.XXX.XXX service tcp ftp-data ftp-data
object network SERVER2004_FTP_SSL
 nat (inside,outside) static 82.94.XXX.XXX service tcp 990 990
object network SERVER2005_HTTP
 nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2005_HTTPS
 nat (inside,outside) static 82.94.XXX.XXX service tcp https https
access-group inside_access_in in interface inside
access-group OutsideToInside in interface outside
route outside 0.0.0.0 0.0.0.0 82.94.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.2.0 255.255.255.0 inside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 213.132.202.192 source outside
ntp server 72.251.252.11 source outside
ntp server 131.211.8.244 source outside
group-policy Default_Tunnel_Group_Name_VPN internal
group-policy Default_Tunnel_Group_Name_VPN attributes
 dns-server value 194.109.104.104 194.109.9.99
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value
Default_Tunnel_Group_Name_VPN_splitTunnelAcl
username ******* password ************* encrypted privilege 0
username ******* attributes
 vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 15
username ******* password ************* encrypted privilege 0
username ******* attributes
 vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 0
username ******* attributes
 vpn-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN type remote-access
tunnel-group Default_Tunnel_Group_Name_VPN general-attributes
 address-pool VPN_IP_POOL
 default-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp error
  inspect ftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:655f9d00d6ed1c593506cbf9a876cd49
: end
CISCOASACLOUD#
  • Banks
    Banks about 9 years
    Many thanks for your response. I have added "access-list OutsideToInside extended permit icmp any any" to my configuration but still no echo responses. To be clear I am pinging using the external IP address (82.94.) for the server. The internal IP address is in the 10.0. range. Any more ideas?
  • Banks
    Banks about 9 years
    No it did not work.
  • Banks
    Banks about 9 years
    Yes I am able to ping the ASA public IP address. This traffic is being logged on my ASA. When I ping any servers behind the firewall using the external IP address non of this traffic is being logged. 6 Apr 21 2015 13:36:14 302021 188.207.72.222 57892 82.94.xxx.xxx 0 Te‌​ardown ICMP connection for faddr 188.207.72.222/57892 gaddr 82.94.xxx.xxx/0 laddr 82.94.xxx.xxx/0 ||||| 6 Apr 21 2015 13:36:14 302020 188.207.72.222 57892 82.94.xxx.xxx 0 Bu‌​ilt inbound ICMP connection for faddr 188.207.72.222/57892 gaddr 82.94.xxx.xxx/0 laddr 82.94.xxx.xxx/0
  • Amir
    Amir about 9 years
    I just tried to ping your ASA ip: 188.207.72.222 and unable to ping. Also, if you are using ASDM to configure, you can use packet tracer to check your configuration. above rule should allow you to ping. I guess you internet is working? would you please confirm?
  • Amir
    Amir about 9 years
    I didn't see any deny rule in above config, If you have added deny rule for outside interface after this post, please make sure allow ACL is added before deny rule.
  • Banks
    Banks about 9 years
    That is not the IP address of my ASA but the IP address of my cell phone connected over 3/4G. I am not using ASDM to configure the ASA. However when I check the traffic using the tracer I first select the interface "outside" set the packet type to ICMP, set the source IP address and destination 82.94.xx.xx and type to echo. The result is "the packet is dropped" info : (no route) No route to host.
  • Banks
    Banks about 9 years
    I have already tried this. But it is still not working. Any more ideas. Is my routing OK?
  • ewwhite
    ewwhite about 9 years
    I don't know. Can you ping 8X.XXX.1XX.XXX?!?
  • Amir
    Amir about 9 years
    Also, would you please let me know the version of ASA system firmware as there is a requirement of setting Public Server from version 8.4 onwards. Unfortunately, I didn't get any luck trying to this up with CLI. I had to use ASDM to configure public server under Firewall. Please set this and test again please. Apologies for testing on wrong IP, realised it lately.
  • Banks
    Banks about 9 years
    Can you please explain you question to me in more detail. I'm not able to follow you.
  • Banks
    Banks about 9 years
    Amir, Many thanks for your support. you have helped me to find the solution..
  • Amir
    Amir about 9 years
    Great that you managed to fix the issue and explained here for others. I have also marked your answer as useful.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cisco ASA: Multiple static IPs on a single interface
debugging ASA firewall rules (with or without ASDM)
Cisco ASA 5505 - NAT or Port Forward for SIP / VoIP ver 8.4
i cant ping to my DMZ zone from the local inside PC
Changing ASA access lists on the fly
Cisco ASA5505 - Unable to ping DMZ from Inside interface
Cisco ASA Implicit rule dropping traffic
How can I debug Cisco Firewall ASA "Dispatch Unit" very high CPU utilisation from ASDM?
CISCO ASA 5510: How to view the number of connections per second?
Cisco ASA 5520 Unable to access external IP on Internal Network