yes, you are right. I changed and my ping packets can reach the asa5200. but, it bands because it deny inbound icmp.

Great thanks for help. since you are online, could you please advice me, how can I remove the deny for icmp?

the security level is 0 already. I thought it should allow all traffic pass?

Many Regards

By default, PIX/ASA will deny incoming access/ICMP from outside (lower security) to inside/higher security level interfaces.

You need to open/use ACL to allow inbound ICMP/ping from outside to inside, i.e to your Vlan101, do the following:

General

access-list outside extended permit icmp any any ---> permit any icmp type

access-group outside in interface outside

Ping to specific host:

- you need to map the inside host to an outside ip, so that outside users/hosts can ping it. Use static command.

Example - map vlan101 host 10.1.1.12 to unused outside IP of 10.1.3.40

static (inside,outside) 10.1.3.40 10.1.1.12 netmask 255.255.255.255

access-list outside extended permit icmp any host 10.1.3.40 --> allow

access-group outside in interface outside

or you can specify who can ping to specific destination:

access-list outside extended permit icmp host 10.1.3.100 host 10.1.3.40

access-group outside in interface outside

Note:

- replace the keyword 'outside' with any name/number

- you can narrow icmp type, i.e echo, echo-reply and so on. Add it at the end of ACL.

HTH

AK

Great thanks for the reply.

I can not use NAT, I have used "no nat-control"

I need outside any machine can ping inside machine 10.1.1.12 and I need 10.1.1.0 can be seen in outside ( not internet)

Basicaly, I need make asa5520 as router, because I can not change the inside machines ip addresses since they are on production.

I need add asa5520 into current infrastruction with no firewall first. and then think about firewall.

Please advice how can I achive it.