Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

unable to ping from MZ to firewall

Dear All,

I am unable to ping from MZ zone to firewall ip please any body can advice me how to enable ping

i have my spectrum server on MZ zone having security leval 70 and firewall inside ip having security leval 100,now iam unable to ping from spectrum server to my firewalll inside ip.

can any body help me.



Super Bronze

unable to ping from MZ to firewall


To my understanding you can ping Cisco firewalls interface IP behind another interface.

Meaning you can ping an interface IP as long as the host is behind that interface.

For ICMP to work between hosts on 2 different interfaces please check that you have the access-list allowing it and you have the following configuration

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

Community Member

unable to ping from MZ to firewall

by default icmp is deny passage from low security to hight security levelwhen,one host send icmp request to any host it goes to port 0 and when icmp reply come back then it come to port because the asa use stateful packet incepection,the host does no see the reachability  by ping 

if you want to  you want to deploy an access-list

access-list 101 permit icmp any any or any perticular host

access-group 101 in MZ


it give you less secuirty

Community Member

Re: unable to ping from MZ to firewall

A better solution is to enable the ICMP inspector. ICMP is not a stateful protocol at all,

but the ASA can infer enough information to make it seem stateful. The ICMP inspector

can selectively (and automatically) open a “connection” to permit return traffic based on

the original outbound requests. It will permit only one response to return for every

request that is sent out. The ICMP sequence numbers must also match between a request

and a reply packet. With “stateful” ICMP inspection, the ICMP connections and xlate

entries can be quickly torn down as soon as the appropriate reply is received.

You can enable ICMP inspection as an action within a policy map by using the inspect

icmp command. By default, the ICMP inspector does not permit any ICMP error packets

to return. This is because an ICMP error message can be sent from an address other than

the original ICMP target. You can use the inspect icmp error command to enable ICMP

error processing as part of ICMP inspection.

Example 9-10 shows how ICMP and ICMP error inspection can be enabled globally,

within the global_policy policy map.

Example 9-10 Enabling ICMP and ICMP Error Inspection Globally

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

ciscoasa(config-pmap-c)# inspect icmp error

ciscoasa(config-pmap-c)# exit

ciscoasa(config-pmap)# exit


hope it will help you

let us know if it does not work

CreatePlease to create content