inside to outside ping in ASA

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Thu, 03/05/2009 - 09:14
User Badges:
  • Cisco Employee,

Are you pinging from a host behind the ASA to a host outside the ASA?


If yes you need to enable ICMP inspection under the policy map:


policy-map global_policy

class inspection_default

inspect icmp


Or are you using the inside interface to ping the outside interface?

If yes this is not supported.

JamesLuther Thu, 03/05/2009 - 11:17
User Badges:
  • Silver, 250 points or more

Hi,


The commands "icmp permit any OUTSIDE" and "icmp permit any INSIDE" control ICMP to the ASA itself.


To allow icmp through the ASA then use access-lists



Regards

JamesLuther Fri, 03/06/2009 - 02:37
User Badges:
  • Silver, 250 points or more

Hi,


Here are some configuration examples on how to get ICMP thorugh the ASA working.



access-list in_on_inside permit icmp any any echo

access-group in_on_inside in interface inside


access-list in_on_outside permit icmp any any echo-reply

access-group in_on_outside in interface outside



or



access-list in_on_inside permit icmp any any echo

access-group in_on_inside in interface inside


policy-map global_policy

class inspection_default

inspect icmp




Also, is nat-control disabled on your firewall? Yo ucan make sure by typing


no nat-control





Regards

Ivan Martinon Fri, 03/06/2009 - 07:54
User Badges:
  • Cisco Employee,

How are you trying to ping? Is it from a host behind asa to a host outside asa? or from the actual interfaces?

I am pinging from a switch and my Laptop behind ASA.


Just simply pissed off. Today it started pinging and I started testing failover, powered off my secondary ASA and since then it again stopped Pinging. I restarted my failover ASA but :(


PFA configuration of all the devices and let me know if you find any configuration issue in any of the device.



Attachment: 

Actions

This Discussion