cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6563
Views
0
Helpful
7
Replies

Cannot Ping www.google.com but the Internet works

cjsunderland
Level 1
Level 1

I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping www.google.com, and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly. What can I do on my ASA to resolve this?

7 Replies 7

varrao
Level 10
Level 10

Hi Chris,

can you add "inspect icmp" in the policy-map and try again??/

policy-map global_policy

class inspection_default

   inspect icmp

let me know if it works after this.

Thanks,

Varun

Thanks,
Varun Rao

Is this done from global configuration mode?

Yes that is correct:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

It should work after this

Thanks,

Varun

Thanks,
Varun Rao

hou-fw(config)# policy-map global_policy

hou-fw(config)# class inspection_default

hou-fw(config-cmap)# inspect icmp

                                  ^

ERROR: % Invalid input detected at '^' marker. hou-fw(config)# class inspection_default

This is what I get

Hi Chris,

Not sure if you have a policy-map global_policy configured, you can chcek that by the command:

show run policy-map

Chcek what policy-map do you have, under that policy map you would have a class map as well, go into that and then do inspect icmp.

Like mine has:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

So I do:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

Another way to do it would be to allow the ping replies on the ACL that you have applied on teh outside interface, for that you need to first chcek the name of the access-list that is applied on the outside interface, first do:

show run access-group

it shoudl do:

access-group outside_in in interface outside

then add the acl:

access-list outside_in permit icmp any any

and it shoudl start pinging after that.

Thanks,

Varun

Thanks,
Varun Rao

I have

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

Then you just need to get into the policy-map and then class and apply the inspection.

ASA(config)#policy-map global_policy

ASA(config-pmap)# class inpsection_default

ASA(config-pmap-c)# inspect icmp

If this does not go right then may be somewhere something is not done correct or you can also try my ACL suggestion.

PS - Have a look at the things that I have in bold, you shoudl get the same while using the commands.

Thanks,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: