ASA/PIX not responding to Pings from Outside interface

Answered Question
May 13th, 2010
User Badges:

                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?


                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside

Correct Answer by Jon Marshall about 7 years 2 weeks ago

iketurner931 wrote:


               Thanks Jon,


                                 Are you saying that the Pix by default will not respond to pings but the ASA will?


No, the pix should respond by default to pings as well.


Jon

Correct Answer by Jon Marshall about 7 years 2 weeks ago

iketurner931 wrote:


                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?


                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside


An acl allows ping through the firewall not to the firewall.


You need this instead -


icmp permit 76.x.x.x 255.255.255.192 echo-reply outside


however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.


Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 05/13/2010 - 06:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

iketurner931 wrote:


                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?


                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside


An acl allows ping through the firewall not to the firewall.


You need this instead -


icmp permit 76.x.x.x 255.255.255.192 echo-reply outside


however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.


Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.


Jon

Charlie Mayes Thu, 05/13/2010 - 06:59
User Badges:

               Thanks Jon,


                                 Are you saying that the Pix by default will not respond to pings but the ASA will?

Correct Answer
Jon Marshall Thu, 05/13/2010 - 07:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

iketurner931 wrote:


               Thanks Jon,


                                 Are you saying that the Pix by default will not respond to pings but the ASA will?


No, the pix should respond by default to pings as well.


Jon

Actions

This Discussion