Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ACL implicit deny Problems

Hi All,

Unable to Access Inside PC from outside network. Here is the error given below. I have configure access-list outside any any

also i have configured icmp any any but i couldn't communicate. I have check all access-list and access-group. everything ok.

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst 
interface_name: IP_address (type dec, code dec)

PID: ASA5515

Software Version 9.0(4)

-01# sho run

: Saved


ASA Version 9.0(4)


enable password fNfvz0nxWqnzuVsW encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted



interface GigabitEthernet0/0

description *** Connected to CORE-SW-01 ***

channel-group 11 mode active

no nameif

no security-level

no ip address


interface GigabitEthernet0/1

description *** Connected to CORE-SW-01 ***

channel-group 11 mode active

no nameif

no security-level

no ip address


interface GigabitEthernet0/2

no nameif

security-level 0

no ip address


interface GigabitEthernet0/2.32

vlan 32

nameif inside

security-level 100

ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface GigabitEthernet0/4

description LAN/STATE Failover Interface


interface GigabitEthernet0/5


no nameif

no security-level

no ip address


interface Management0/0


nameif managment

security-level 0

ip address


interface Port-channel11

description *** Connected to CORE-SW ***

nameif outside

security-level 100

ip address standby


boot system disk0:/asa904-smp-k8.bin

ftp mode passive

dns server-group DefaultDNS


object network IT-Network


access-list test extended permit icmp any

access-list IPS_ACL extended permit ip any4 any4

access-list test1 extended permit ip any any

pager lines 24

logging enable

logging buffered informational

logging trap informational

logging asdm informational

mtu inside 1500

mtu managment 1500

mtu outside 1500


failover lan unit primary

failover lan interface failover GigabitEthernet0/4

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover key *****

failover replication http

failover link failover GigabitEthernet0/4

failover interface ip failover standby

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group test1 in interface inside

access-group test in interface outside

route outside 1

route outside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 5

http server session-timeout 5

http outside

http managment

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh managment

ssh outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username mdbladmin password xmMhtANupK0CJ7AP encrypted privilege 15


class-map IPS_CL_MAP

match access-list IPS_ACL

class-map inspection_default



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map CMP_DMZ_MAIL_SMTP

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect dns preset_dns_map dynamic-filter-snoop

  inspect icmp

class IPS_CL_MAP

  ips inline fail-close


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 3

  subscribe-to-alert-group configuration periodic monthly 3

  subscribe-to-alert-group telemetry periodic daily


: end

Version history
Revision #:
1 of 1
Last update:
‎02-12-2014 11:09 PM
Updated by:
Labels (1)
Super Bronze


You should post questions in the Discussions section. This section is meant for user created documentation.

- Jouni