Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1940
Views
0
Helpful
3
Replies

ASA5505 unable to ping gateway - not the usual mistake

SwaltherBL
Level 1
Level 1

‎09-19-2013 11:32 AM - edited ‎03-11-2019 07:41 PM

Hi everybody,

I have a factory fresh ASA5505 (IOS: 9.1.2 ASDM: 7.1.3) sitting here, with absolute basic setup at the moment (coz I can't get further)

Hostname, internal and external IP addresses.

The fact is.. the ASA won't ping the default gateway.. no chance.

In detail:

External Interface has .217 and the gateway is on the same subnet .211 both with a /28 subnet

Doing a ping via ASDM or CLI fails (and of course from the "internal" laptop too). Altough the ASA can ping all inside hosts (my config laptop)

Yes - I configured ICMP allow any any rules

Yes - I configured the default missing ICMP inspection class maps.

All of no avail.

Here comes the problem:

connecting a spare laptop to the external wire (unplug from ASA external interface and plug into laptop) after configuring the laptop with the same IP address (.217/28) it works without any issues.. pings flow and I can get past the gateway into the internet.

Plugging back the ASA..again, no ping.

Does anyone of you have an idea? Is the box broken? (did a factory reset and configured it again..still the same)

Thanks a lot!

Labels:
0 Helpful
3 Replies 3

Tariq Bader
Cisco Employee
Cisco Employee

‎09-20-2013 06:07 PM

Hello Sebastian,

As a security device, our ASA has the ICMP denied by default by the effect of the implicit deny any any ACL applied on the outside interface, so we need to explicitly permit it like follows:

access-list outside_in permit icmp any any

access-group outside_in in interface outside

And you should be fine then.

Tariq

0 Helpful

Antonio Simoes
Level 1
Level 1
In response to Tariq Bader

‎09-21-2013 04:34 PM

Hi,

You tried to ping other outside IP like 8.8.8.8 for exemple?

Show that config man!

Take care

0 Helpful

malshbou
Level 1
Level 1

‎09-22-2013 12:54 AM

Hi Sebastian,

Is the ASA's physical interface that is connected to the gateway assigned to the same external vlan which has the interface vlan  x.y.z.217 /28   ?

You said:

" connecting a spare laptop to the external wire (unplug from ASA external interface and plug into laptop) after configuring the laptop with the same IP address (.217/28) it works without any issues"

If i were you, i would also plug this laptop to the gateway-side of the cable (after unplugging the cable  from the gateway) , so that the cable is now connecting the ASA to the laptop and the laptop is simulating the gateway, then assign the gateway's IP to the laptop and ping it from the ASA, and verify the result.

Regards.

--------

Mashal Shboul

------------------ Mashal Shboul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card