Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505: unable to ping external hosts

Hi,

I have a LAN behind ASA 5505, interface NAT/PAT is configured.

External interface is configured for PPPoE.

Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:

icmp permit any inside

icmp permit any outside

access-list outside_access_in extended permit icmp any any

Protocol inspections and fixups are default.

When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:

302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session

313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside

302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

Where 202.xx.yy.zz is IP of external interface of ASA.

This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?

Any help will be highly appreciated.

Thank you.

Alex

4 REPLIES
Gold

Re: ASA 5505: unable to ping external hosts

just to clarify, outside_access_in is the acl that is applied to your outside interface?

can you post the full acl, as well as all nat/global/static commands.

New Member

Re: ASA 5505: unable to ping external hosts

I attached config of the ASA

I am running similar configs on other firewalls and never had a problem with ICMP being blocked.

New Member

Re: ASA 5505: unable to ping external hosts

Did you ever come up with a fix for this, I am running into to this very issue right now on an ASA5505 running 7.2(3)?

Re: ASA 5505: unable to ping external hosts

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-group outside_access_in in interface outside

or icmp inspection instead of acl.

policy-map global_policy

class inspection_default

inspect icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

HTH

Jorge

975
Views
0
Helpful
4
Replies