can't ping from inside with asa 5520

Unanswered Question
May 18th, 2009


I configure ASA 5520 to protect my network, but i can't go to the internet from my inside.

i can ping outside address frome outside interface from asa but not from inside .

ciscoasa# show run

: Saved


ASA Version 7.0(8)


hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted




interface GigabitEthernet0/0

no nameif

no security-level

no ip address


interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address


interface GigabitEthernet0/2


no nameif

no security-level

<--- More --->

no ip address


interface GigabitEthernet0/3

nameif inside

security-level 100

ip address


interface Management0/0


no nameif

no security-level

no ip address


ftp mode passive

pager lines 24

mtu inside 1500

mtu OUTSIDE 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (inside) 1

route OUTSIDE 1

<--- More --->

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

<--- More --->

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Fernando_Meza Tue, 05/19/2009 - 03:43


You most likely need to enable icmp inspect in order to get icmp through the firewall. This is disabled by default

hostname(config)# policy-map global_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect icmp

hostname(config-pmap-c)# exit

You should be able to connect to the Internet though (of course assuming your DNS settings are correct.

I hope it helps .. please rate helpful posts


This Discussion