Re: Can`t ping my ASA outside int from the inside

From: Mike Canfield (mike@mcanfield.com)
Date: Sat Oct 04 2008 - 12:51:55 ART

• Next message: Marko Milivojevic: "Re: CCDE Practical"
• Previous message: Wes Stevens: "Re: CCDE Practical"
• Maybe in reply to: Mark Anthony: "Can`t ping my ASA outside int from the inside"
• Next in thread: Mark Anthony: "Re: Can`t ping my ASA outside int from the inside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

management-access interface_name

On Oct 4, 2008, at 11:44 AM, Muhammad Nasim wrote:

> No , One can not ping from inside to the outside interface. There are
> several tests which one want to perform by sitting from inside but
> one can
> not.
>
>
>
> 2008/10/4 Mark Anthony <mctony@ymail.com>
>
>> I am using an ASA 5510 between my inside network and the internet
>> router.
>>
>>
>>
>> I cannot ping my ASA outside interface and the internet router inside
>> interface.
>>
>>
>>
>> Here is what I want to achieve:
>>
>> 1. I want my inside users to get to the internet using the proxy addr
>>
>> 2. I want my inside users to ping the outside int of the ASA.
>>
>> 3. I want remote users to access just 3 servers in my inside
>> network, these
>> servers also have a public addresses.
>>
>>
>>
>> Below is the config I have presently on the ASA.
>>
>>
>>
>> Can someone please help me by providing the configs that will make me
>> achieve
>> these tasks stated above.
>>
>>
>>
>> Thanks in advance
>>
>>
>>
>>
>>
>> ASA Version 7.0(6)
>>
>> !
>>
>> hostname ciscoasa
>>
>> enable password 8Ry2YjIyt7RRXU24 encrypted
>>
>> names
>>
>> dns-guard
>>
>> !
>>
>> interface Ethernet0/0
>>
>> description <connection to the internet router>
>>
>> nameif outside
>>
>> security-level 0
>>
>> ip address 194.203.x.x 255.255.255.0
>>
>> !
>>
>> interface Ethernet0/1
>>
>> description <connection to internal networks>
>>
>> nameif inside
>>
>> security-level 100
>>
>> ip address 194.203.x.x 255.255.255.0
>>
>> !
>>
>> interface Ethernet0/2
>>
>> description <connection to servers>
>>
>> shutdown
>>
>> nameif DMZ
>>
>> security-level 50
>>
>> no ip address
>>
>> !
>>
>> interface Ethernet0/3
>>
>> shutdown
>>
>> no nameif
>>
>> no security-level
>>
>> no ip address
>>
>> !
>>
>> interface Management0/0
>>
>> speed 100
>>
>> duplex full
>>
>> nameif management
>>
>> security-level 0
>>
>> ip address 192.168.1.1 255.255.255.0
>>
>> !
>>
>> passwd 2KFQnbNIdI.2KYOU encrypted
>>
>> ftp mode passive
>>
>> access-list 100 extended permit icmp any any echo-reply
>>
>> access-list 100 extended permit icmp any any time-exceeded
>>
>> access-list 100 extended permit icmp any any unreachable
>>
>> access-list 100 extended permit tcp any host 62.x.x.x eq www
>>
>> access-list 100 extended permit tcp any host 62.x.x.x eq www
>>
>> access-list 100 extended permit tcp any host 62.x.x.x eq smtp
>>
>> pager lines 24
>>
>> logging enable
>>
>> mtu outside 1500
>>
>> mtu inside 1500
>>
>> mtu DMZ 1500
>>
>> mtu management 1500
>>
>> no failover
>>
>> asdm image disk0:/asdm506.bin
>>
>> no asdm history enable
>>
>> arp timeout 14400
>>
>> global (outside) 1 62.x.x.x (proxy server public addres)
>>
>> nat (inside) 1 0.0.0.0 0.0.0.0
>>
>> static (inside,outside) 62.173.x.x x.203.101.5 netmask
>> 255.255.255.255
>>
>> static (inside,outside) 62.173.x.x x.203.101.250 netmask
>> 255.255.255.255
>>
>> static (inside,outside) 62.173.x.x x.203.101.2 netmask
>> 255.255.255.255
>>
>> access-group 100 in interface outside
>>
>> route outside 0.0.0.0 0.0.0.0 10.163.x.x 1( isp )
>>
>> timeout xlate 3:00:00
>>
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>>
>> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>>
>> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
>>
>> timeout uauth 0:05:00 absolute
>>
>> no snmp-server location
>>
>> no snmp-server contact
>>
>> snmp-server enable traps snmp authentication linkup linkdown
>> coldstart
>>
>> telnet timeout 5
>>
>> ssh timeout 5
>>
>> console timeout 0
>>
>> Cryptochecksum:0d567cde88308477ab94bd171ee1479e
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Marko Milivojevic: "Re: CCDE Practical"
• Previous message: Wes Stevens: "Re: CCDE Practical"
• Maybe in reply to: Mark Anthony: "Can`t ping my ASA outside int from the inside"
• Next in thread: Mark Anthony: "Re: Can`t ping my ASA outside int from the inside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST