Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4961
Views
5
Helpful
4
Replies

ASA/PIX not responding to Pings from Outside interface

Go to solution
Charlie Mayes
Level 1
Level 1

‎05-13-2010 06:17 AM - edited ‎03-11-2019 10:45 AM

                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?

                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-13-2010 06:45 AM 

iketurner931 wrote:
                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?
                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside

An acl allows ping through the firewall not to the firewall.

You need this instead -

icmp permit 76.x.x.x 255.255.255.192 echo-reply outside

however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.

Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.

Jon

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎05-13-2010 07:08 AM 

iketurner931 wrote:
               Thanks Jon,
                                 Are you saying that the Pix by default will not respond to pings but the ASA will?

No, the pix should respond by default to pings as well.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-13-2010 06:45 AM 

iketurner931 wrote:
                       I need a ASA/PIX firewall to respond to my ping eneting the outside interface from a specific subnet. Is this ACL correctly written to do that?
                       access-list 101 permit icmp 76.X.X.X 255.255.255.192 any echo-reply
                       access-group 101 in interface outside

An acl allows ping through the firewall not to the firewall.

You need this instead -

icmp permit 76.x.x.x 255.255.255.192 echo-reply outside

however by default an ASA should respond to ping on it's interfaces anyway so you need to check your config.

Note also that you cannot ping across the ASA to an interface so if you are outside you can ping the outside interface but not any of the others.

Jon

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Jon Marshall

‎05-13-2010 06:59 AM

               Thanks Jon,

                                 Are you saying that the Pix by default will not respond to pings but the ASA will?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎05-13-2010 07:08 AM 

iketurner931 wrote:
               Thanks Jon,
                                 Are you saying that the Pix by default will not respond to pings but the ASA will?

No, the pix should respond by default to pings as well.

Jon

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Jon Marshall

‎05-13-2010 07:14 AM

                          Ok Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card