Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 : not root


my 5505 have got a inside ip 10.202.0.X et outise ip 25.10.10.x outside and inside ar pingable independently but a not ping 25.10.10.X acl rules are ok) and i see nothing in log

help ?

thank you


Re: ASA 5505 : not root

Do you have the right nat confiured?

Still, i think you are not able to ping the own ASA's interface.

You need an ACL applied to the outside interface allowing icmp echo reply, or enable icmp in the inspection.

New Member

Re: ASA 5505 : not root

all this point are good, anyway i should see some info in log about the icmp blocked packet

New Member

Re: ASA 5505 : not root

my config is

WATO-CISCOASA5505-VPN# show running-config

: Saved


ASA Version 7.2(3)


hostname WATO-CISCOASA5505-VPN


enable password XXXXXXXXXXXXX encrypted




interface Vlan1

description Cote Firewall

nameif FW_PART_VPN

security-level 100

ip address 10.202.0.X


interface Vlan2

description Cote routeur 9 TEL

nameif ROOT_9TEL_WWW

security-level 0

ip address 62.106.X.X


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd XXXXXXXXXXXX encrypted

ftp mode passive

dns server-group DefaultDNS


access-list ROOT_9TEL_WWW_access_in remark PING TEST

access-list ROOT_9TEL_WWW_access_in extended permit icmp any any echo

access-list ROOT_9TEL_WWW_access_in remark PING REPLY

access-list ROOT_9TEL_WWW_access_in extended permit icmp any any echo-reply

access-list ROOT_9TEL_WWW_access_out remark FLUX MONTANT

access-list ROOT_9TEL_WWW_access_out extended permit ip any any

access-list ROOT_9TEL_WWW_access_out extended permit icmp any any echo

access-list FW_PART_VPN_access_out remark PING TEST

access-list FW_PART_VPN_access_out extended permit icmp any any echo-reply

access-list FW_PART_VPN_access_in extended permit icmp any any echo

access-list FW_PART_VPN_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu FW_PART_VPN 1500

mtu ROOT_9TEL_WWW 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (ROOT_9TEL_WWW) 1 interface

nat (FW_PART_VPN) 1

access-group FW_PART_VPN_access_in in interface FW_PART_VPN

access-group FW_PART_VPN_access_out out interface FW_PART_VPN

access-group ROOT_9TEL_WWW_access_in in interface ROOT_9TEL_WWW

access-group ROOT_9TEL_WWW_access_out out interface ROOT_9TEL_WWW


router rip


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable



no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config ROOT_9TEL_WWW



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

username devtest nopassword privilege 15

prompt hostname context


: end

New Member

Re: ASA 5505 : not root

when i do a packet tracer, it say me packet drop because acl implicite rule but no trace in log !!!! why ??

in fact i think the asa not root my packet.



Re: ASA 5505 : not root

Try to remove the access-list from outgoing traffic, let it only in the IN flow

New Member

Re: ASA 5505 : not root

i removed acl on outgoing traffic -> the same probeme

anyway i did a test with ping tool :

to ping 62.106.142.X from inside (10.202.0.X)


6 Feb 15 2008 12:11:25 110003 Routing failed to locate next hop for icmp from NP Identity Ifc:10.202.0.X/0 to FW_PART_VPN:62.106.142.X/0

CreatePlease to create content