I have a Cisco ASA 5506-x Firewall that I am using to NAT addresses on a machine subnet. These addresses are from a VLAN. When I ping from a 192(Subnet) address to a 177(Vlan)address through the NAT the ping is successful.
However when I try to ping the default gateway/Firewall for the VLAN(177.22.250.190)I get no reply. If I ping using the same 177 number without it being NATed I get a reply. I herethat there is no TTL change on packets from a asa5506-x.. so what causes it to fail? I cant ping addresses beyond the firewall either…
: Saved
:
: Serial Number: JAD214904MZ
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(1)
!
terminal width 350
hostname NPRDKMA08NAT01
domain-name novoprod.local
enable password $sha512$5000$UxkgSXnr+/4ra5OjdA/ccA==$GckUvCDwWZxO9x6eat22jA== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 177.22.250.130 255.255.255.192
ipv6 address autoconfig
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif vlan
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name corpcos.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network obj_HMI01
host 192.168.1.12
description diluteHMI1
object network obj_HMI02
host 192.168.1.13
description diluteHMI2
object network obj_HMIPR01
host 192.168.1.202
description dilutelenxeThermo
object network obj:NPPLC801
host 192.168.1.10
description dilutePLC
object network obj_BR1
host 192.168.1.206
description diluteVision
object network obj_PLC01
host 192.168.1.180
description CartonTwinCat
object network obj_BR2
host 192.168.1.207
description render
object network obj_PLC02
host 192.168.1.181
description Scada
object network obj_HMIPR02
host 192.168.1.203
description WritelenxeInk
object network obj_HMIPR03
host 192.168.1.204
description WritelenxeLaser
object network obj_BR3
host 192.168.1.208
description WriteVision
object network obj_HMI03
host 192.168.1.112
description robotHMI1
object network PLC802
host 192.168.1.110
description robotPLC
object network Rework
host 192.168.1.205
description robotInlineWash
object network obj_BR4
host 192.168.1.209
description robotVision
object network QXC
host 192.168.1.211
description ManualShipperWash
object network OXB1
host 192.168.1.210
description AcidWash
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu vlan 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network obj_HMI01
nat (inside_1,outside) static 177.22.250.141 net-to-net dns
object network obj_HMI02
nat (inside_1,outside) static 177.22.250.142 net-to-net dns
object network obj_HMIPR01
nat (inside_1,outside) static 177.22.250.143 net-to-net dns
object network PLC0801
nat (inside_1,outside) static 177.22.250.140 net-to-net dns
object network obj_BR1
nat (inside_1,outside) static 177.22.250.145 net-to-net dns
object network obj_PLC01
nat (inside_1,outside) static 177.22.250.150 net-to-net dns
object network obj_BR2
nat (inside_1,outside) static 177.22.250.155 net-to-net dns
object network obj_PLC02
nat (inside_1,outside) static 177.22.250.160 net-to-net dns
object network obj_HMIPR02
nat (inside_1,outside) static 177.22.250.163 net-to-net dns
object network obj_HMIPR03
nat (inside_1,outside) static 177.22.250.164 net-to-net dns
object network obj_BR3
nat (inside_1,outside) static 177.22.250.165 net-to-net dns
object network obj_HMI03
nat (inside_1,outside) static 177.22.250.171 net-to-net dns
object network PLC0802
nat (inside_1,outside) static 177.22.250.170 net-to-net dns
object network Rework
nat (inside_1,outside) static 177.22.250.173 net-to-net dns
object network obj_BR4
nat (inside_1,outside) static 177.22.250.175 net-to-net dns
object network QXC
nat (inside_1,outside) static 177.22.250.183 net-to-net dns
object network OXB1
nat (inside_1,outside) static 177.22.250.187 net-to-net dns
route outside 0.0.0.0 0.0.0.0 177.22.250.190 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-redilute 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 vlan
http 192.168.1.13 255.255.255.255 inside_1
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_7
http 192.168.1.0 255.255.255.0 inside_3
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 46806c5a
308202ce 308201b6 a0030201 02020446 806c5a30 0d06092a 864886f7 0d01010b
05003029 3111300f 06035504 03130863 6973636f 61736131 14301206 03550403
130b3139 322e3136 382e312e 31301e17 0d313830 31323731 34303034 375a170d
32383031 32353134 30303437 5a302931 11300f06 03550403 13086369 73636f61
73613114 30120603 55040313 0b313932 2e313638 2e312e31 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00f7f3b7 26ce24f8
91a7cb2a c57b5808 94277326 ab08677a ed4673b0 c398d62f ba01ecb0 6700530b
ebeac84d a36f0c94 e28df2cd 4c5a53ab be212f4d 221e1bc3 a43326b4 e5c64640
b7e8905c 813888aa 08fc67ef 19d89eb7 6faff621 97d100a6 af3e2ed6 e3a750ab
8579f1c9 abb12759 73393931 c86db249 91ed75ab 96ae37f1 f14537b5 010ab4c6
7bcdabd3 8c9d0e7b b94aac83 9aa49e00 2d66fd8b 4c8c08f8 cc1bad93 94efa5c2
48a4de9b 0dde57a4 658131cb b2c18918 d466b063 e64b12ec face9b68 5a96acee
7c192e2a 9ee6b84a 22c09b7b 13418013 fb867730 1918b732 fc46e15d 06e829be
d738b284 446262f4 44703151 b8e48e91 0f235202 1cb71dd5 bf020301 0001300d
06092a86 4886f70d 01010b05 00038201 010055b0 ca24ffd1 419ee98e 559abe89
33c45c9f e6471d79 fb465139 21de3ee4 fc8cdcc9 4d0cf25a 3b1d6a07 eb72da03
15d87ee4 bf781520 f2dfabbf 451c00c5 477cfbaf a53dcc95 d6b20178 72349f6a
7ecb02ea 938dd74d 47506495 ed2fe2c3 f4f8ebd1 dd363633 0a2e3f2d 6361e33d
c5d70bac 7496a893 1f4d911e b38c7ad3 fae50d1b 91735e4f 11644f74 dd729dc4
156c351d 2b40f73b 6c6c196c 03203fb0 dab368b2 a1a1ee12 ce5bcced 942c0de9
f8488a2e 7301df66 b8ac528c d3822ef4 bec9a609 20de3fd7 74aaa47b cff14d71
6ee9e15c 62d3bed0 0c643223 fb64fb27 5adda479 546832e7 d53bc9d7 b3309465
7beab10f 519e2b6d ff1a2e37 a4677575 ae5f
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp trusted-key 1
ntp server 177.21.12.4 key 1 source outside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f8c5c03fdffff45d10568c857f02ef5b
: end
no asdm history enable
Best Answer
Initially, I could see a lot of security hardening needs to be done on your device.
The fact is, by default, Cisco ASA blocks ICMP.
To allow ping, configure your firewall to allow the ICMP inspection using below commands.