Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why can't the inside interface with a higher security level on ASA 5545 ping the DMZ interface with a lower security level

Why can't the inside interface with a higher security level on ASA 5545 ping the DMZ interface with a lower security level. No NAT is configured. I expect by default, i should be able to ping a lower security level from an higher security level interface on the ASA.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

What are you trying exactly?

What are you trying exactly? Ping a system on the lower security-level or the lower security-level ASA-interface? The later is not supported on the ASA. Then test it with a ping to a system in the DMZ.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

If there is no ACL applied to

If there is no ACL applied to the higher interface that denies the traffic, then the higher security-system can ping the system on the lower level. But with the ASA-defaults, ICMP is not stateful and the replies are dropped. To make it staeful you have to extend your default policy-map:

policy-map global_policy
 class inspection_default
  inspect icmp

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hello Karsten,Thanks for the

Hello Karsten,

Thanks for the reply, have included the command, but still cannot ping the lower interface.

VIP Purple

What are you trying exactly?

What are you trying exactly? Ping a system on the lower security-level or the lower security-level ASA-interface? The later is not supported on the ASA. Then test it with a ping to a system in the DMZ.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hello Karsten,Thanks a lot. I

Hello Karsten,

Thanks a lot. I was pinging the lower security level on the ASA-interface. I can ping a system in the DMZ now.

396
Views
5
Helpful
4
Replies