Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ICMP ECHO denied by asa

Dear ALL,

i am tying to ping a public ip address from a remote site router but the packet is being denied.Split tunneling is configured on the central site asa so the remote sites can have access to internet through the asa.Here is a copy of the asa the logs on the asa and the remote site router.Please Help.

Cisco Employee

Re: ICMP ECHO denied by asa

Pls. provide us a topology like below and let us know what path these ICMP requests are supposed to take.


Which IP address are you trying to ping and from where?

The syslogs indicate that the replies from are being dropped.

ICMP type 0 is reply.

Here is the link to the syslog

Do you know when the requests are sent and when the replies come back?

Captures on the ASA's LAN interface would show this.

cap caplan int LAN match icmp any any

do the ping test

sh cap caplan

Try the following:

conf t

timeout icmp 0:0:4

New Member

Re: ICMP ECHO denied by asa

Here is te topology

BranchRTR(inside) SERVER(

I am trying to ping isp dns) from the branch router outside interface.Are my access-lists and config OK for the branch to access the internet ?What is wrong ?

New Member

Re: ICMP ECHO denied by asa


1. your log there is no information about icmp packets with the addresses you said.

2. there is no routing for way back on the ASA_AA for your Transfernetwork Youd need - route liaison_BLR -

PS: traceroute is your friend

CreatePlease to create content