Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

PING not avilable

Hi,

I have a 5520 with a basic configuraction. I cannot ping to a Server directly connected to DMZ interface from a PC in inside interface. DMZ interface is UP and from the ASA I can ping this server. The message I see in the ASA is


The adaptive security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted

But I have configured Allow any IP traffict from the outside interface. There is not NAT configured. Any idea why can it be?

Thank you,

Best Regards

3 REPLIES
Cisco Employee

Re: PING not avilable

Well, if you are trying to ping from inside host towards dmz host, you would need to configure ACL on the inside interface to allow the access, not on the outside interface because outside interface does not come in the traffic path.

You would also need to configure static translation to itself between inside and dmz, unless you have "nat-control" disable and you have no NAT statement configured at all.

Lastly, you would need to configure "inspect icmp" under the global policy on the default class inspection.

Hope that helps.

Re: PING not avilable

Thank you.

Sorry. I didn´t explain well. I have configure ACL to allow access to DMZ server. I haven´t got any NAT configured in DMZ and inspect icmp is applied. The log say there is no policy to allow this traffic, but I have a "permit any any".

Just, I solved it. I have the same security level in DMZ and Inside from I was testing (In this firewall there are 4 different inside each one with a different security level). I needed mark "Enable traffic between two or more interfaces which are configured with same security levels". I thought if you configure explicit rules it was not necessary. I was wrong :-)

Thank you for your fast answer.

Cisco Employee

Re: PING not avilable

Great, you are right, for same security, you would need to configure "same-security-traffic permit inter-interface"

780
Views
0
Helpful
3
Replies