Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA ACL issue

Greeting All,

I`ve tried to ping from the inside network to the outside and in normal case it has to be possible since :

Internal network has a security profile of 100

External network has a security profile of 0

And since the rule: Permit from a secure network to a not secure is enabled BUT still i can`t ping from my inside interface (172.16.1.0/24) to the ouside interface (10.10.10.0/24)

I even tried to modify the ACL to allow everything from Inside to the outside and vise versa but still doesn`t work

Is it a bug or what i`m really stuckk here!!!

Thanks for your help guys.

PS: i have attached 2 print screen for more information

5 REPLIES

Re: ASA ACL issue

Do you have syslog enabled? If yes, what log says about icmp.

Remember by default, ICMP won't be inspected. Therefore, you have to either permit echo-reply on outside interface or enable icmp inspection. Since you have already configured "permit any" on outside interface, you should be able to ping.

If packet was dropped by ASA, you should see something in log or by enable "debug icmp trace 255".

New Member

Re: ASA ACL issue

thanks for your reply i appreciate it,

Well in normal case since i have permitted the icmp trafic from the outside to the inside and vise vers ca icmp trafic has to go through but it`s not.

I have check the packet tracer and it says that the ACL is dropping the packet and it seems that it`s bypassing the rule that i have.

I have attached a copy of my run config

Thanks for your help.

Kindly

Seifeddine Tlili

Re: ASA ACL issue

Your config looks good.

Can you post the output of packet trace?

New Member

Re: ASA ACL issue

Thanks for your reply, well it seems that i can`t use a ping with a source address the inside interface to the outside interface however i can ping from an inside host to an outiside host isn`t wierd?

Thanks for all

Re: ASA ACL issue

Not sure what you are trying to ping.

Remember, you could not ping from a host in inside network to the ip address of ASA's outside interface. This is an expected behavior.

105
Views
0
Helpful
5
Replies