04-01-2014 09:27 PM - edited 03-11-2019 09:01 PM
Dear All,
Please help. I have an cisco ASA5512 which configure to access the internet, but very wonder that why my inside host pc cannot ping to outside interface ip which I set as security level 0?. Please quide to me how to allow them to access the outside interface.
Thanks and Best regard,
Solved! Go to Solution.
04-02-2014 01:10 AM
From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.
04-02-2014 02:42 AM
I correct my previous statement.
the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.
the ASA will not allow ping to another interface that is not the ingress interface. there is no way around this.
--
Please remember to rate and select a correct answer
04-02-2014 12:43 AM
By default you will not be able to ping an ASA interface that is not the ingress interface. If you want to be able to ping the outside interface from an inside host you would need to add the following command (just change the inside IP/subnet to the required value):
icmp permit 192.168.1.0 255.255.255.0 outside
--
Please remember to rate and select a correct answer
04-02-2014 01:09 AM
Dear Marius Gunnerud,
Many thanks for your reply, but I was try this command:
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit any outside
icmp permit any outside echo
icmp permit any outside echo-reply
--
and your also, but it didn't work. Can you give me any suggestion?
Thanks and Best regard,
04-02-2014 02:42 AM
I correct my previous statement.
the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.
the ASA will not allow ping to another interface that is not the ingress interface. there is no way around this.
--
Please remember to rate and select a correct answer
04-02-2014 01:10 AM
From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: