Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't ping ASA 5505 WAN from PC on LAN

Hi All,

Firewall rookie here.  I am setting up two mock sites to talk to each other, and I am having a very basic problem: I can't ping the outside interface IP (vlan 2) on my ASA from my PC that is directly attached to the inside (vlan 1) interface of the same ASA.

I've attached a diagram, along with the ASA configs. Please review and let me know what silly thing I am missing.

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions

From document located here

From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa

To allow ICMP:

 

 

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

 

 

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

VIP Purple

Yes, but still not the

Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
7 REPLIES

From document located here

From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa

To allow ICMP:

 

 

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

 

 

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

VIP Purple

You're not missing anything .

You're not missing anything ... That's just not supported on the ASA. You only can ping the interface thats next to you. So if you are sitting inside of ASA1, you can ping ASA1-inside, but not ASA1-outside. You can (given you have access-control for that) ping ASA2-outside, but not ASA2-inside.

To ping through the ASA you should also reconfigure the ASA to make the ping stateful. For that you have to extend the default policy-map:

policy-map global_policy
 class inspection_default
  inspect icmp


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thank you both.Karsten,To

Thank you both.

Karsten,

To make it stateful, would I just add those commands you listed in addition to Michael's configs? Or would I need to make changes to Michael's configs in order to include your configs?

VIP Purple

I assumed that you have the

I assumed that you have the following default-configuration:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mpf_service_policy.html#wp1163004


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

OK, so then all I need to do

OK, so then all I need to do is have that default policy from your link configured, then add "inspect icmp" to it basically, and I should be all I need to ping through it?

VIP Purple

Yes, but still not the

Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Ok, gotcha.  Thank you Sir.

Ok, gotcha.  Thank you Sir.

854
Views
0
Helpful
7
Replies