07-11-2008 12:54 AM - edited 03-11-2019 06:12 AM
Guys please help me. I can't ping outside network like yahoo.com when I'm connected to the ASA5510 firewall. Do you have any idea how to set the ACL to allow pinging the outside network?
Thanks.
Solved! Go to Solution.
07-11-2008 01:21 AM
How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.
If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:
config t
policy-map global_policy
class inspection_default
inspect icmp
Regards.
07-11-2008 03:41 AM
Hi,
1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit icmp any any time-exceeded
2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections
inspect icmp
HTH - pls rate if it does
Regards
Stephen
07-11-2008 01:21 AM
How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.
If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:
config t
policy-map global_policy
class inspection_default
inspect icmp
Regards.
07-11-2008 06:46 PM
Thanks for the reply. I'm connected to the ASA behind a network using the DMZ interface. The "inspect icmp" statement is the only missing thing in my config. I will add this and give you an update.
Thanks.
07-11-2008 06:55 PM
Hi, if I will use the "inspect icmp" statement is there a catch with this command?
Is my network still safe?
07-11-2008 03:41 AM
Hi,
1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit icmp any any time-exceeded
2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections
inspect icmp
HTH - pls rate if it does
Regards
Stephen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: