Cant ping DG in ASA 5505

Answered Question
Jul 22nd, 2008
User Badges:

I am trying to configure a new ASA.



from the inside I can not ping out to the DG or access internet.

I can ping the outside interface from the out side.

I have ADSm syslogginh enable and when I ping from the inside it says.

denied ICMP type=0, code =0 from on interface outside

I also see this

portmap creation failed for src inside to dst outside xxx.2337/137 (This is my DNS server).

Help please.

Mike Williams

Tarleton State University

Correct Answer by sundar.palaniappan about 8 years 9 months ago


Try this configuration and test your ping from inside to outside.

nat (inside) 1 10.x.180.0 --> This is your inside network.

global (outside) 1 interface

fixup protocol icmp

Let us know if this helps.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
sundar.palaniappan Tue, 07/22/2008 - 12:53
User Badges:
  • Green, 3000 points or more


Try this configuration and test your ping from inside to outside.

nat (inside) 1 10.x.180.0 --> This is your inside network.

global (outside) 1 interface

fixup protocol icmp

Let us know if this helps.



michael.m.williams Tue, 07/22/2008 - 13:03
User Badges:


I can now access the internet from the inside, but I still can't ping the DG .

when I ping I still see denied ICMP type=0 code 0 from on ouside interface.


sundar.palaniappan Tue, 07/22/2008 - 13:14
User Badges:
  • Green, 3000 points or more

ICMP traffic isn't inspected by default.

Did you add the configuration 'fixup protocol icmp'?

If still doesn't work can you post a sanitized copy of the ASA configuration.

michael.m.williams Tue, 07/22/2008 - 13:23
User Badges:

Yes i added Fixup protocol icmp.

Here is my config

hostname I


enable password xxx

passwd xxx



interface Vlan2

description ASA outside interface

nameif outside

security-level 0

ip address xxx.xx.120.115


interface Vlan70

description Inside network for Touchnet

nameif inside

security-level 100

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1

switchport access vlan 70


interface Ethernet0/2

switchport access vlan 70


interface Ethernet0/3

switchport access vlan 70


interface Ethernet0/4

switchport access vlan 70


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7

switchport access vlan 70


ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS


pager lines 24

logging enable

logging timestamp

logging asdm informational

logging host outside

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit inside

icmp permit xxx.xx.21.0 outside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.XX.180.0

router eigrp 165

no auto-summary

eigrp stub connected

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

http outside

snmp-server host outside community TSUroCN

snmp-server location Data Center

snmp-server contact Mike Williams

snmp-server community XXXXXXX

snmp-server enable traps snmp authentication coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start

telnet XXX.XXX.21.0 outside

telnet timeout 5

ssh XXX.XXX.21.0 outside

ssh timeout 5

console timeout 0

dhcpd dns

dhcpd wins xxx.xx.23.133

dhcpd ping_timeout 30

dhcpd domain

dhcpd update dns


dhcpd address inside

dhcpd dns interface inside

dhcpd wins interface inside

dhcpd ping_timeout 30 interface inside

dhcpd domain xxxxxxxxx interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

ntp server source outside prefer


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error


service-policy global_policy global

prompt hostname context


: end



sundar.palaniappan Tue, 07/22/2008 - 13:45
User Badges:
  • Green, 3000 points or more

"threat-detection basic-threat" I haven't worked with this command before. Can you remove this command and check.

michael.m.williams Tue, 07/22/2008 - 13:54
User Badges:

in the config it now states

no threat-detection basic threat.

still can not ping out .

I can ping from outside to outside interface.


sundar.palaniappan Tue, 07/22/2008 - 14:36
User Badges:
  • Green, 3000 points or more


Just wanted to make sure you are pinging from inside to outside, right?

If you are then the following configuration that you have in there now should allow ICMP echo-reply packets to come through.

policy-map global_policy

class inspection_defaul

inspect icmp

Though this is the legacy way of doing it you can try this configuration and that should work.

access-list OUTSIDE permit icmp any any echo-reply

access-group OUTSIDE in interface outside




This Discussion