cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3891
Views
0
Helpful
4
Replies

Can't ping Outside in ASA5510

helios999
Level 1
Level 1

Guys please help me. I can't ping outside network like yahoo.com when I'm connected to the ASA5510 firewall. Do you have any idea how to set the ACL to allow pinging the outside network?

Thanks.

2 Accepted Solutions

Accepted Solutions

a.ajiboye
Level 1
Level 1

How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.

If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:

config t

policy-map global_policy

class inspection_default

inspect icmp

Regards.

View solution in original post

stephen.stack
Level 4
Level 4

Hi,

1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded

2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections

inspect icmp

HTH - pls rate if it does

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

View solution in original post

4 Replies 4

a.ajiboye
Level 1
Level 1

How are you connected to the ASA? Is it via VPN using a VPN client? If you are connecting via VPN client and split tunneling is not enabled on the ASA for the profile your are connecting to the ASA with, you would not be able to ping any address on the Internet. You need to enable split tunneling for this profile.

If you are on a network behind the ASA (i.e. Inside interface of the ASA), then you can enable pinging through the ASA by entering the commands below on the ASA:

config t

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Thanks for the reply. I'm connected to the ASA behind a network using the DMZ interface. The "inspect icmp" statement is the only missing thing in my config. I will add this and give you an update.

Thanks.

Hi, if I will use the "inspect icmp" statement is there a catch with this command?

Is my network still safe?

stephen.stack
Level 4
Level 4

Hi,

1. Allow ICMP in both directions (by the application of access lists to the source and destination interfaces).

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded

2. Enable the ICMP inspection engine to allow ICMP sessions to be treated as bidirectional connections

inspect icmp

HTH - pls rate if it does

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: