Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
0
Helpful
4
Replies

inside host asa cannot ping high security level

Go to solution
sokmeng.min
Level 1
Level 1

‎04-01-2014 09:27 PM - edited ‎03-11-2019 09:01 PM

Dear All,

Please help. I have an cisco ASA5512 which configure to access the internet, but very wonder that why my inside host pc cannot ping to outside interface ip which I set as security level 0?. Please quide to me how to allow them to access the outside interface.

Thanks and Best regard,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎04-02-2014 01:10 AM

From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to sokmeng.min

‎04-02-2014 02:42 AM

I correct my previous statement.

the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.

the ASA will not allow ping to another interface that is not the ingress interface.  there is no way around this.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎04-02-2014 12:43 AM

By default you will not be able to ping an ASA interface that is not the ingress interface.  If you want to be able to ping the outside interface from an inside host you would need to add the following command (just change the inside IP/subnet to the required value):

icmp permit 192.168.1.0 255.255.255.0 outside

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
sokmeng.min
Level 1
Level 1
In response to Marius Gunnerud

‎04-02-2014 01:09 AM

Dear Marius Gunnerud,

 

Many thanks for your reply, but I was try this command:

icmp permit 192.168.1.0 255.255.255.0 outside

icmp permit any outside

icmp permit any outside echo

icmp permit any outside echo-reply

--

and your also, but it didn't work. Can you give me any suggestion?

 

Thanks and Best regard,

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to sokmeng.min

‎04-02-2014 02:42 AM

I correct my previous statement.

the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.

the ASA will not allow ping to another interface that is not the ingress interface.  there is no way around this.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎04-02-2014 01:10 AM

From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card