Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
5
Replies

ASA ACL issue

Seifeddine-Tlili
Level 1
Level 1

‎09-25-2009 10:56 AM - edited ‎03-11-2019 09:19 AM

Greeting All,

I`ve tried to ping from the inside network to the outside and in normal case it has to be possible since :

Internal network has a security profile of 100

External network has a security profile of 0

And since the rule: Permit from a secure network to a not secure is enabled BUT still i can`t ping from my inside interface (172.16.1.0/24) to the ouside interface (10.10.10.0/24)

I even tried to modify the ACL to allow everything from Inside to the outside and vise versa but still doesn`t work

Is it a bug or what i`m really stuckk here!!!

Thanks for your help guys.

PS: i have attached 2 print screen for more information

Labels:
Preview file
1288 KB
0 Helpful
5 Replies 5

Yudong Wu
Level 7
Level 7

‎09-25-2009 11:59 AM

Do you have syslog enabled? If yes, what log says about icmp.

Remember by default, ICMP won't be inspected. Therefore, you have to either permit echo-reply on outside interface or enable icmp inspection. Since you have already configured "permit any" on outside interface, you should be able to ping.

If packet was dropped by ASA, you should see something in log or by enable "debug icmp trace 255".

0 Helpful

Seifeddine-Tlili
Level 1
Level 1
In response to Yudong Wu

‎09-25-2009 12:41 PM

thanks for your reply i appreciate it,

Well in normal case since i have permitted the icmp trafic from the outside to the inside and vise vers ca icmp trafic has to go through but it`s not.

I have check the packet tracer and it says that the ACL is dropping the packet and it seems that it`s bypassing the rule that i have.

I have attached a copy of my run config

Thanks for your help.

Kindly

Seifeddine Tlili

Preview file
3 KB
0 Helpful

Yudong Wu
Level 7
Level 7
In response to Seifeddine-Tlili

‎09-25-2009 01:01 PM

Your config looks good.

Can you post the output of packet trace?

0 Helpful

Seifeddine-Tlili
Level 1
Level 1
In response to Yudong Wu

‎09-25-2009 03:25 PM

Thanks for your reply, well it seems that i can`t use a ping with a source address the inside interface to the outside interface however i can ping from an inside host to an outiside host isn`t wierd?

Thanks for all

0 Helpful

Yudong Wu
Level 7
Level 7
In response to Seifeddine-Tlili

‎09-25-2009 10:56 PM

Not sure what you are trying to ping.

Remember, you could not ping from a host in inside network to the ip address of ASA's outside interface. This is an expected behavior.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card