cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
0
Helpful
4
Replies

ASA 5505: unable to ping external hosts

augnevenok
Level 1
Level 1

Hi,

I have a LAN behind ASA 5505, interface NAT/PAT is configured.

External interface is configured for PPPoE.

Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:

icmp permit any inside

icmp permit any outside

access-list outside_access_in extended permit icmp any any

Protocol inspections and fixups are default.

When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:

302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session

313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside

302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

Where 202.xx.yy.zz is IP of external interface of ASA.

This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?

Any help will be highly appreciated.

Thank you.

Alex

4 Replies 4

srue
Level 7
Level 7

just to clarify, outside_access_in is the acl that is applied to your outside interface?

can you post the full acl, as well as all nat/global/static commands.

I attached config of the ASA

I am running similar configs on other firewalls and never had a problem with ICMP being blocked.

Did you ever come up with a fix for this, I am running into to this very issue right now on an ASA5505 running 7.2(3)?

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-group outside_access_in in interface outside

or icmp inspection instead of acl.

policy-map global_policy

class inspection_default

inspect icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

HTH

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco