Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Unable to ping and traceroute through the PIX/ASA Firewall when the device is behind it
This can happen when the Internet Control Message Protocol (ICMP) is not enabled on the outer interface.
Complete these steps in order to resolve this issue in PIX version 6.x:
Enable the ICMP on outer interface.
Issue these commands in sequence:
access-list < allowicmp > line 1 permit icmp any any echo access-list < allowicmp > line 2 permit icmp any any unreachable access-list < allowicmp > line 3 permit icmp any any time-exceeded access-list < allowicmp > line 4 permit icmp any any source-quench access-list < allowicmp > line 5 permit icmp any any
Note: The access-list < allowicmp > command is bound on the outer interface.
In order to resolve this issue in PIX/ASA version 7.x, there are two options:
You can use access-list as in version 6.x.
Configure ICMP inspection.
This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage to monitor the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.