ASA ACL issue

Unanswered Question
Sep 25th, 2009
User Badges:

Greeting All,

I`ve tried to ping from the inside network to the outside and in normal case it has to be possible since :

Internal network has a security profile of 100

External network has a security profile of 0

And since the rule: Permit from a secure network to a not secure is enabled BUT still i can`t ping from my inside interface ( to the ouside interface (

I even tried to modify the ACL to allow everything from Inside to the outside and vise versa but still doesn`t work

Is it a bug or what i`m really stuckk here!!!

Thanks for your help guys.

PS: i have attached 2 print screen for more information

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Fri, 09/25/2009 - 11:59
User Badges:
  • Gold, 750 points or more

Do you have syslog enabled? If yes, what log says about icmp.

Remember by default, ICMP won't be inspected. Therefore, you have to either permit echo-reply on outside interface or enable icmp inspection. Since you have already configured "permit any" on outside interface, you should be able to ping.

If packet was dropped by ASA, you should see something in log or by enable "debug icmp trace 255".

Seifeddine-Tlili Fri, 09/25/2009 - 12:41
User Badges:

thanks for your reply i appreciate it,

Well in normal case since i have permitted the icmp trafic from the outside to the inside and vise vers ca icmp trafic has to go through but it`s not.

I have check the packet tracer and it says that the ACL is dropping the packet and it seems that it`s bypassing the rule that i have.

I have attached a copy of my run config

Thanks for your help.


Seifeddine Tlili

Yudong Wu Fri, 09/25/2009 - 13:01
User Badges:
  • Gold, 750 points or more

Your config looks good.

Can you post the output of packet trace?

Seifeddine-Tlili Fri, 09/25/2009 - 15:25
User Badges:

Thanks for your reply, well it seems that i can`t use a ping with a source address the inside interface to the outside interface however i can ping from an inside host to an outiside host isn`t wierd?

Thanks for all

Yudong Wu Fri, 09/25/2009 - 22:56
User Badges:
  • Gold, 750 points or more

Not sure what you are trying to ping.

Remember, you could not ping from a host in inside network to the ip address of ASA's outside interface. This is an expected behavior.


This Discussion