thank you verymuch.

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 1.1.1.1  255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 2.2.2.1  255.255.255.0

access-list  111   permit icmp any any

access-list  111   permit ip any any

access-group 111 in interface inside

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0   2.2.2.2

PC1  IP 1.1.1.2

      mask 255.255.255.0

      gateway 1.1.1.1

PC2 IP  2.2.2.2

mask 255.255.255.0

      gateway 2.2.2.1

now, pc1 can  ping  pc2 .  but  pc2 can not ping  pc1.

Hi,

Lets use "packet-tracer" to test.

Insert this command in the CLI of the ASA and post the output (if you have changed the actual IP address then use the real ones in the command)

packet-tracer input outside icmp 2.2.2.2 8 0 1.1.1.2

Though there is always a chance that a software firewall on the PC1 is blocking the ICMP and simply doesnt reply to the ICMP Echo at all. That might be worth checking out.

- Jouni

pc1 <------> pc2     

if without the asa , they Can be connected to each other through

the   firewall configuration  have   problem ？

What do you think  

thanks

Hi,

I posted the "packet-tracer" command that you should issue on the ASA to tell us if there is a problem.

Without I can't really tell what the problem is.

Post the output

- Jouni

Please check PC firewall settings, in some case also antivirus settings have network protection. Also check ARP table and logs on the ASA but as Jouni indicates please forward packet-tracer output.

Do you still need assistance?

Please rate our assistnce