Routing – Cisco ASA-5505 – Can ping the Internet from LAN connected devices, however I cannot ping from the LAN interface to the Internet

cisco-asaipsecrouting

I am new to Cisco ASA and ASDM. Struggling with difference from IOS devices. Network layout is as follows:

AWS VPC — IPsec tunnel — ASA-5505 — LAN

Currently:

IPsec tunnel is up.
AWS can reach LAN connected devices.
LAN connected devices can reach the internet.

However I have these two problems:

LAN interface of ASA cannot ping to Internet.
SLA monitoring isn't working. (Maybe related to point 1?)

Below I have inserted most of my running-config(and route table). I removed the crypto config and I have hid some octets of WAN addresses with xxx. Hopefully there is enough configuration here to be helpful in troubleshooting. If some additional information would be helpful please ask.

(Sorry, there was probably a better way to format the running-config below.)

ciscoasa# show running-config  
: Saved  
:  
ASA Version 9.1(2)8  
!  
interface Ethernet0/0  
 switchport access vlan 2  
!  
interface Ethernet0/1  
!  
interface Ethernet0/2  
!  
interface Ethernet0/3  
!  
interface Ethernet0/4  
!  
interface Ethernet0/5  
!  
interface Ethernet0/6  
!  
interface Ethernet0/7  
!  
interface Vlan1  
 nameif inside  
 security-level 100  
 ip address 192.168.0.1 255.255.255.0  
!  
interface Vlan2  
 nameif outside  
 security-level 0  
 ip address xxx.152.29.xxx 255.255.255.240  
!  
ftp mode passive  
object network inside-subnet-1  
 subnet 192.168.0.0 255.255.255.0  
object network AWS-inside-subnet  
 subnet 172.19.254.128 255.255.255.128  
object network NETWORK_OBJ_192.168.0.0_24  
 subnet 192.168.0.0 255.255.255.0  
object-group protocol DM_INLINE_PROTOCOL_1  
 protocol-object ip  
 protocol-object icmp  
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet  
pager lines 24  
logging enable  
logging asdm informational  
mtu outside 1500  
mtu inside 1500  
no failover  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
no arp permit-nonconnected  
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static AWS-inside-subnet AWS-inside-subnet  
!  
object network inside-subnet-1  
 nat (inside,outside) dynamic interface  
route outside 0.0.0.0 0.0.0.0 xxx.152.29.xxx 1  

http server enable  
http 192.168.0.0 255.255.255.0 inside  
no snmp-server location  
no snmp-server contact  

sla monitor 1  
 type echo protocol ipIcmpEcho 172.19.254.129 interface outside  
 frequency 30  
sla monitor schedule 1 life forever start-time now  
!  
ssh 192.168.0.0 255.255.255.0 inside  
ssh timeout 20  
ssh key-exchange group dh-group1-sha1  
console timeout 0  
!  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map  
  inspect ftp  
  inspect h323 h225  
  inspect h323 ras  
  inspect rsh  
  inspect rtsp  
  inspect esmtp  
  inspect sqlnet  
  inspect skinny  
  inspect sunrpc  
  inspect xdmcp  
  inspect sip  
  inspect netbios  
  inspect tftp  
  inspect ip-options  
  inspect icmp  
!   
: end  
ciscoasa# show route  

Gateway of last resort is xxx.152.29.xxx to network 0.0.0.0  

C    xxx.152.29.xxx 255.255.255.240 is directly connected, outside  
C    192.168.0.0 255.255.255.0 is directly connected, inside  
S*   0.0.0.0 0.0.0.0 [1/0] via xxx.152.29.xxx, outside  
ciscoasa#

Best Answer

To get the IP SLA to work, change your crypto ACL from:

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet

to :

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 any4 object AWS-inside-subnet

And, of course, do the same (in reverse) at the remote peer.

This way the IP SLA (which is sourced from the ASA's outside ip address) also gets tunnelled.

src: http://www.tunnelsup.com/troubleshooting-vpn-between-cisco-asa-and-amazon-aws

Edit: note that if there is any traffic between AWS and the Internet, the suggested config change may break things as it may cause that traffic to traverse the tunnel now (depending on how the other side is configured).

Edit2: this should also make a regular ping work, if you source it from the outside interface. To be honest I'm not sure if a ping from the inside interface can ever work - it might if you enable management-access inside. That should at least allow you to ping the inside interface from AWS.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA 5505 – Troubleshooting Configuration Issues

The "outside" vlan seems to be misconfigured, and I've tried so many permeations, that I am sure I am overlooking something major, and obvious. When I am able to ping 8.8.8.8, from the ASA, I'll be happy!

Basic Config

As others have mentioned, your configuration is "suboptimal"... ~~the biggest problem you have is that you're not using DHCP on the outside Vlan interface~~ the biggest problem is that your default gw address is assigned to Vlan2... to recover, login to the console and...

copy runn flash:foobar.cfg
config t
configure factory-default 10.1.10.100 255.255.255.0

While you're in config mode, use this configuration...

hostname DTS-ASA
password ChangeMeNow
enable password ChangeMeNow
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Vlan2
 ! I don't think you need this, since it's an SMC MAC addr
 ! However, this illustrates how you can manually change the mac
 ! on your outside Vlan, if Comcast is restricting you
 ! to one mac (and now refuses to change it)
 ! mac-address 78cd.8ed9.fb37
 nameif outside
 security-level 0
 ip address 74.xx.xx.225 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
end
wr mem

Please change the password :-)... now you need fw rules, but that's a different issue

WAN Validation

Make sure you really do have the Comcast modem attached to Eth0/0... After you're up and running, you should be able to check the address you got from Comcast like this...

DTS-ASA# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 0030.dead.beef, MTU 1500
        IP address 74.xx.xx.225, subnet mask 255.255.255.248     <------------
  Traffic Statistics for "outside":
        108703406 packets input, 119199091796 bytes
        69134254 packets output, 8083775282 bytes
        1654709 packets dropped
      1 minute input rate 2 pkts/sec,  280 bytes/sec
      1 minute output rate 3 pkts/sec,  414 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 3 pkts/sec,  716 bytes/sec
      5 minute output rate 4 pkts/sec,  520 bytes/sec
      5 minute drop rate, 0 pkts/sec
DTS-ASA#

Then check your ping to google's DNS...

DTS-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
DTS-ASA#

If not, be sure you can ping your default-gw...

DTS-ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.xx.xx.230 to network 0.0.0.0

C    74.xx.xx.230 255.255.255.248 is directly connected, outside
C    10.1.10.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.xx.xx.230, outside          <------
DTS-ASA#
DTS-ASA# ping 74.xx.xx.230