PING not avilable

Unanswered Question
Aug 11th, 2010
User Badges:


I have a 5520 with a basic configuraction. I cannot ping to a Server directly connected to DMZ interface from a PC in inside interface. DMZ interface is UP and from the ASA I can ping this server. The message I see in the ASA is

The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted

But I have configured Allow any IP traffict from the outside interface. There is not NAT configured. Any idea why can it be?

Thank you,

Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 08/11/2010 - 04:50
User Badges:
  • Cisco Employee,

Well, if you are trying to ping from inside host towards dmz host, you would need to configure ACL on the inside interface to allow the access, not on the outside interface because outside interface does not come in the traffic path.

You would also need to configure static translation to itself between inside and dmz, unless you have "nat-control" disable and you have no NAT statement configured at all.

Lastly, you would need to configure "inspect icmp" under the global policy on the default class inspection.

Hope that helps.

carlosluqueportero Wed, 08/11/2010 - 05:23
User Badges:

Thank you.

Sorry. I didn´t explain well. I have configure ACL to allow access to DMZ server. I haven´t got any NAT configured in DMZ and inspect icmp is applied. The log say there is no policy to allow this traffic, but I have a "permit any any".

Just, I solved it. I have the same security level in DMZ and Inside from I was testing (In this firewall there are 4 different inside each one with a different security level). I needed mark "Enable traffic between two or more interfaces which are configured with same security levels". I thought if you configure explicit rules it was not necessary. I was wrong :-)

Thank you for your fast answer.

Jennifer Halim Wed, 08/11/2010 - 05:28
User Badges:
  • Cisco Employee,

Great, you are right, for same security, you would need to configure "same-security-traffic permit inter-interface"


This Discussion