cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
32744
Views
20
Helpful
4
Replies

Ping through ASA

ayman emara
Level 1
Level 1

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

207558867 wrote:

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

Ayman

The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.

Have a look at this document which covers how to allow ping through an ASA/Pix firewall -

ASA ping

Can the interfaces ping each other - no they can't.

Jon

View solution in original post

Hi Yehia,

I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.

On my ASA 5505 in my home lab I have the following;

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

!

!

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global

Hope that helps.

Conor

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

207558867 wrote:

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

Ayman

The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.

Have a look at this document which covers how to allow ping through an ASA/Pix firewall -

ASA ping

Can the interfaces ping each other - no they can't.

Jon

Hi Yehia,

I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.

On my ASA 5505 in my home lab I have the following;

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

!

!

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global

Hope that helps.

Conor

Thanks alot adding the ICMP to the inspection already did it

JaggerSystems
Level 1
Level 1

For me it was the security-level of the interface was too high. A quick test of this by changing to the same security-level resolved the access. An ACL was put in place on the interface to secure traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: