Not Able to ping or ssh to the Inside int on ASA 5540 from the outside netw

Unanswered Question
Apr 10th, 2007

I have an ASA 5540 and I have ACL's applied to inside and outside int's that allow all traffic currently and I have proved that the ICMP and SSH traffic is being allowed by doing a packet trace. I did notice in my logs that when an ICMP packet hits the inside interface from the outside it is replying but the logs are saying the following:

Apr 10 2007 09:37:53: %ASA-6-302020: Built ICMP connection for faddr 1XX.XX.XX.X/512 gaddr 1XX.XX.XX.X/0 laddr 1XX.XX.XX.X/0

Apr 10 2007 09:37:55: %ASA-6-302021: Teardown ICMP connection for faddr 1XX.XX.XX.X/512 gaddr 1XX.XX.XX.X2/0 laddr 1XX.XX.XX.X2/0

can anyone assist me what is going on with the stateful ICMP inspection or should I be looking at something else?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David White Tue, 04/10/2007 - 05:52

The ASA will not allow you to ping a remote interface. Meaning, if you are on the outside, you can ONLY ping the outside interface. You will be unable to ping any other interface on the box.

If you are on the inside, the same will be true, you can only ping the inside interface and no other interface.

Finally, please note that ACLs only apply to *through* traffic (traffic traversing the ASA). They do not apply to traffic destined to the ASA. The "icmp ..." commands would affect pings to the ASA.

Hope it helps,

David.

PS> If this solves your issue, please don't forget to check the box so we can mark it off our list.

laverne-sanders Tue, 04/10/2007 - 05:56

Ok that is what I was thinking but just wanted to make sure but the next question is why am I having problems connecting to the inside interface via SSH? The PIX allows this and the ASA currently is not allowing me to do this.

Actions

This Discussion