Cannot Ping www.google.com but the Internet works

Unanswered Question
Jan 12th, 2012
User Badges:

I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping www.google.com, and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly. What can I do on my ASA to resolve this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varrao Thu, 01/12/2012 - 14:37
User Badges:
  • Red, 2250 points or more

Yes that is correct:


ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp


It should work after this



Thanks,

Varun

cjsunderland Thu, 01/12/2012 - 14:42
User Badges:

hou-fw(config)# policy-map global_policy

hou-fw(config)# class inspection_default

hou-fw(config-cmap)# inspect icmp

                                  ^

ERROR: % Invalid input detected at '^' marker. hou-fw(config)# class inspection_default


This is what I get

varrao Thu, 01/12/2012 - 14:58
User Badges:
  • Red, 2250 points or more

Hi Chris,


Not sure if you have a policy-map global_policy configured, you can chcek that by the command:



show run policy-map


Chcek what policy-map do you have, under that policy map you would have a class map as well, go into that and then do inspect icmp.


Like mine has:


policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp


So I do:


ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp



Another way to do it would be to allow the ping replies on the ACL that you have applied on teh outside interface, for that you need to first chcek the name of the access-list that is applied on the outside interface, first do:


show run access-group


it shoudl do:

access-group outside_in in interface outside


then add the acl:


access-list outside_in permit icmp any any


and it shoudl start pinging after that.



Thanks,

Varun

cjsunderland Thu, 01/12/2012 - 15:08
User Badges:

I have


policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

varrao Thu, 01/12/2012 - 15:36
User Badges:
  • Red, 2250 points or more

Then you just need to get into the policy-map and then class and apply the inspection.


ASA(config)#policy-map global_policy

ASA(config-pmap)# class inpsection_default

ASA(config-pmap-c)# inspect icmp


If this does not go right then may be somewhere something is not done correct or you can also try my ACL suggestion.


PS - Have a look at the things that I have in bold, you shoudl get the same while using the commands.


Thanks,

Varun

varrao Thu, 01/12/2012 - 14:22
User Badges:
  • Red, 2250 points or more

Hi Chris,


can you add "inspect icmp" in the policy-map and try again??/



policy-map global_policy

class inspection_default

   inspect icmp



let me know if it works after this.


Thanks,

Varun

Actions

This Discussion

Related Content