Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outside Interface IP not reachable

I have set up an ASA5505 with a basic configuration. Everything internally works great, but if I try to ping the outside interface from an external location, I am unable to do so. I will be using the external ip to access the vpn from another location. I'm sure there is something simple that I am missing here. I have attached my configuration. Any help would be greatly appreciated.

Mike

11 REPLIES

Re: Outside Interface IP not reachable

You need to configure an ACL to allow it and then apply it to the outside interface.

access-list outside_access permit icmp any any

access-group outside_access in interface outside

THIS IS JUST AN EXAMPLE, you should not permit icmp any any.

HTH and please rate.

New Member

Re: Outside Interface IP not reachable

Thanks for the reply. I added the ACL's but they did not correct the issue. When I look at the ASDM, it shows an implicit rule that appears to be denying all incoming traffic on the outside interface. I don't see a way of eliminating this rule.

Re: Outside Interface IP not reachable

Please post your updated config.

New Member

Re: Outside Interface IP not reachable

here it is...

Re: Outside Interface IP not reachable

Can you also post a screen shot in ASDM of the ACL that's blocking? I don't see an ACL in the config (unless ADSM shows the default deny). Thanks.

New Member

Re: Outside Interface IP not reachable

here it is. Not sure if this implicit rule is supposed to be superceded by the explicit rule or not.

New Member

Re: Outside Interface IP not reachable

One other item to note is that when I try to ping the outside interface, I noticed in the log that I get the following denial...

"Deny IP spoof from xx.xx.xx.xx to on interface outside". I looked at my IP spoof settings and they are turned off.

Re: Outside Interface IP not reachable

Can you telnet/ssh into the box and enter the ACL I provided? I never use ADSM and can not speak intelligently about it or it's functionality.

New Member

Re: Outside Interface IP not reachable

Yes. I entered the ACL that way and the same result, I am unable to ping the outside interface, but I receive an IP spoofing error and the packets are dropped.

New Member

Re: Outside Interface IP not reachable

icmp permit any

Re: Outside Interface IP not reachable

The access-list permitting icmp is to allow ICMP/ping packet to pass through firewall to the other segment/end.

The "icmp {permit | deny} ip_address net_mask [icmp_type] if_name " is the command used to allow PIX/ASA to response to ping when it's directed to its interface. You can specify different icmp message type, i.e echo, echo-reply, etc

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

hostname(config)# icmp permit host 172.16.2.15 echo-reply outside

hostname(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

hostname(config)# icmp permit any unreachable outside

166
Views
0
Helpful
11
Replies
CreatePlease login to create content