Can't ping Outside in ASA5510

Answered Question
Jul 11th, 2008

Guys please help me. I can't ping outside network like yahoo.com when I'm connected to the ASA5510 firewall. Do you have any idea how to set the ACL to allow pinging the outside network?


Thanks.

Correct Answer by stephen.stack about 8 years 7 months ago

Hi,


1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).



access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded



2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections


inspect icmp


HTH - pls rate if it does


Regards


Stephen

Correct Answer by a.ajiboye about 8 years 7 months ago

How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.


If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:

config t

policy-map global_policy

class inspection_default

inspect icmp


Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
a.ajiboye Fri, 07/11/2008 - 01:21

How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.


If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:

config t

policy-map global_policy

class inspection_default

inspect icmp


Regards.

helios999 Fri, 07/11/2008 - 18:46

Thanks for the reply. I'm connected to the ASA behind a network using the DMZ interface. The "inspect icmp" statement is the only missing thing in my config. I will add this and give you an update.


Thanks.

helios999 Fri, 07/11/2008 - 18:55

Hi, if I will use the "inspect icmp" statement is there a catch with this command?


Is my network still safe?

Correct Answer
stephen.stack Fri, 07/11/2008 - 03:41

Hi,


1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).



access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded



2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections


inspect icmp


HTH - pls rate if it does


Regards


Stephen

Actions

This Discussion