Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't Ping ASA different interfaces

                   We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.

I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?

We are not doing any natting in firewall, for that we used the Load Balancer.

Thanks...

Everyone's tags (1)
7 REPLIES

Can't Ping ASA different interfaces

Hello Jayesh,

The ASA as a security device will not allow you to ping  a distant interface....

What is a distant interface?

As an example imagine you are on a host behind the inside interface.. You will be able to ping the inside interface but you wil NOT be able to ping the DMZ or outside interface... This because they are distant interface for the inside host..

There is nothing you can do to change that behavior, this is done as a security meassure by the ASA ( Built-in feature)

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Can't Ping ASA different interfaces

Hi Jayesh,

Julio is right that pingis not allowed by default. But you can still allow the PING by allowing ICMP in your access-list DMZ for specific host. You need also to allow ICMP from DMZ inteface.

ASA(config)# icmp permit host xxxx echo DMZ

ASA(config)# access-list DMZ-In extended permit icmp xxxx(DMZ host) host yyyy(inside host)

Thanks,

Jong

Can't Ping ASA different interfaces

Hello Jong,

I think he is refering to ping the DMZ interface from the inside.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Can't Ping ASA different interfaces

Hi Julio,

      Oh yes.. its the interface and not the host. Your correct, ping is not allowed for this scenario.

Regards,

Jong

Can't Ping ASA different interfaces

Hello Jong,

Yep, that is right.

Have a good one!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Can't Ping ASA different interfaces

Thanks All....

Is there any cisco document is available where this mentioned?

Can't Ping ASA different interfaces

10592
Views
5
Helpful
7
Replies
CreatePlease to create content