Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

inside host asa cannot ping high security level

Dear All,

Please help. I have an cisco ASA5512 which configure to access the internet, but very wonder that why my inside host pc cannot ping to outside interface ip which I set as security level 0?. Please quide to me how to allow them to access the outside interface.

Thanks and Best regard,

2 ACCEPTED SOLUTIONS

Accepted Solutions

From what I understand, you

From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.

VIP Green

I correct my previous

I correct my previous statement.

the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.

the ASA will not allow ping to another interface that is not the ingress interface.  there is no way around this.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
4 REPLIES
VIP Green

By default you will not be

By default you will not be able to ping an ASA interface that is not the ingress interface.  If you want to be able to ping the outside interface from an inside host you would need to add the following command (just change the inside IP/subnet to the required value):

icmp permit 192.168.1.0 255.255.255.0 outside

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Dear Marius Gunnerud, Many

Dear Marius Gunnerud,

 

Many thanks for your reply, but I was try this command:

icmp permit 192.168.1.0 255.255.255.0 outside

icmp permit any outside

icmp permit any outside echo

icmp permit any outside echo-reply

--

and your also, but it didn't work. Can you give me any suggestion?

 

Thanks and Best regard,

VIP Green

I correct my previous

I correct my previous statement.

the icmp permit command is only so that you do not have to add an ACL to the interface to deny or allow ICMP request/reply on that specific ingress interface.

the ASA will not allow ping to another interface that is not the ingress interface.  there is no way around this.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

From what I understand, you

From what I understand, you will not be able to ping outside interface of ASA from any hosts behind inside interface, ASA will not allow this by design. The only ping allowed is to the nearest interface of the ASA, e.g. ping to ASA inside interface from hosts behind inside interface or ping to ASA DMZ interface from hosts behind the DMZ interface.

194
Views
0
Helpful
4
Replies
CreatePlease to create content