ASA 5505: unable to ping external hosts

Unanswered Question
Jun 20th, 2007

Hi,

I have a LAN behind ASA 5505, interface NAT/PAT is configured.

External interface is configured for PPPoE.

Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:

icmp permit any inside

icmp permit any outside

access-list outside_access_in extended permit icmp any any

Protocol inspections and fixups are default.

When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:

302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session

313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside

302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

Where 202.xx.yy.zz is IP of external interface of ASA.

This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?

Any help will be highly appreciated.

Thank you.

Alex

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 06/20/2007 - 20:39

just to clarify, outside_access_in is the acl that is applied to your outside interface?

can you post the full acl, as well as all nat/global/static commands.

augnevenok Wed, 06/20/2007 - 21:52

I attached config of the ASA

I am running similar configs on other firewalls and never had a problem with ICMP being blocked.

Attachment: 
krowland123 Wed, 10/22/2008 - 12:07

Did you ever come up with a fix for this, I am running into to this very issue right now on an ASA5505 running 7.2(3)?

JORGE RODRIGUEZ Wed, 10/22/2008 - 12:56

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-group outside_access_in in interface outside

or icmp inspection instead of acl.

policy-map global_policy

class inspection_default

inspect icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

HTH

Jorge

Actions

This Discussion