https://community.cisco.com/t5/network-security/asa-5510/m-p/4006116#M1050583 Turn on debugs with command "debug icmp trace" and run the ping again, upload the output here for review.<BR /><BR />Also run packet-tracer from the CLI and provide the output - use the command "packet-tracer input LAN 192.168.1.4 8 0 172.10.0.1" Fri, 03 Jan 2020 16:15:19 GMT Rob Ingram 2020-01-03T16:15:19Z https://community.cisco.com/t5/network-security/asa-5510/m-p/4005646#M1050580 <P>Hi&nbsp;</P><P>Complete configuration of asa5510 is:</P><P>ciscoasa(config)# show running-config<BR />: Saved<BR />:<BR />ASA Version 8.2(5)<BR />!<BR />hostname ciscoasa<BR />enable password 8Ry2YjIyt7RRXU24 encrypted<BR />passwd 2KFQnbNIdI.2KYOU encrypted<BR />names<BR />!<BR />interface Ethernet0/0<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface Ethernet0/1<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface Ethernet0/2<BR />nameif LAN<BR />security-level 90<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />interface Ethernet0/3<BR />nameif WAN<BR />security-level 60<BR />ip address 172.10.0.3&nbsp; 255.255.252.0<BR />!<BR />interface Management0/0<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />ftp mode passive<BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu WAN 1500<BR />mtu LAN 1500<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1<BR />asdm image disk0:/asdm-645.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />route WAN 0.0.0.0 0.0.0.0 172.10.0.1 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />http server enable<BR />http 172.10.0.0 255.255.252.0 WAN<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec security-association lifetime seconds 28800<BR />crypto ipsec security-association lifetime kilobytes 4608000<BR />telnet timeout 5<BR />ssh timeout 5<BR />console timeout 0<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect ip-options<BR />inspect netbios<BR />inspect rsh<BR />inspect rtsp<BR />inspect skinny<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect sunrpc<BR />inspect tftp<BR />inspect sip<BR />inspect xdmcp<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />call-home<BR />profile CiscoTAC-1<BR />no active<BR />destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank" rel="noopener">https://tools.cisco.com/its/service/oddce/services/DDCEService</A><BR />destination address email callhome@cisco.com<BR />destination transport-method http<BR />subscribe-to-alert-group diagnostic<BR />subscribe-to-alert-group environment<BR />subscribe-to-alert-group inventory periodic monthly<BR />subscribe-to-alert-group configuration periodic monthly<BR />subscribe-to-alert-group telemetry periodic daily<BR />Cryptochecksum:cdeae48234bbea3e4d267f47c1bee40a<BR />: end</P><P>But i can not&nbsp; ping interface ethernet 0/3 (172.10.0.3) and gateway (172.10.0.1) via LAN network.</P><P>Log of ASDM is "routing failed to locate next hop for icmp from NP identity ifc:192.168.1.4/0 to LAN:WAN/0.</P><P>Pl</P> Fri, 21 Feb 2020 17:48:28 GMT https://community.cisco.com/t5/network-security/asa-5510/m-p/4005646#M1050580 poneh35 2020-02-21T17:48:28Z https://community.cisco.com/t5/network-security/asa-5510/m-p/4005668#M1050581 Hi,<BR />You cannot ping the ASA's WAN interface when connected to the LAN interface, that is by design - you can only ping the ASA's closest interface.<BR /><BR />You probably cannot ping the WAN's gateway 172.10.0.1 because you either need to configure an ACL on the OUTSIDE interface to permit echo-reply or you could just enable icmp inspection in MPF, use the command "fixup protocol icmp".<BR /><BR />HTH Thu, 02 Jan 2020 17:10:14 GMT https://community.cisco.com/t5/network-security/asa-5510/m-p/4005668#M1050581 Rob Ingram 2020-01-02T17:10:14Z https://community.cisco.com/t5/network-security/asa-5510/m-p/4006107#M1050582 <P>I add this command but ping doesn't work</P> Fri, 03 Jan 2020 15:55:10 GMT https://community.cisco.com/t5/network-security/asa-5510/m-p/4006107#M1050582 poneh35 2020-01-03T15:55:10Z https://community.cisco.com/t5/network-security/asa-5510/m-p/4006116#M1050583 Turn on debugs with command "debug icmp trace" and run the ping again, upload the output here for review.<BR /><BR />Also run packet-tracer from the CLI and provide the output - use the command "packet-tracer input LAN 192.168.1.4 8 0 172.10.0.1" Fri, 03 Jan 2020 16:15:19 GMT https://community.cisco.com/t5/network-security/asa-5510/m-p/4006116#M1050583 Rob Ingram 2020-01-03T16:15:19Z https://community.cisco.com/t5/network-security/asa-5510/m-p/4006341#M1050584 <P>I don't know what the problem was, but I reset the config of firewall and try again.<BR />Add commands on it:<BR />fixup protocol icmp<BR />debug icmp trace<BR />The problem was solved.<BR />Thanks.</P> Sat, 04 Jan 2020 05:45:49 GMT https://community.cisco.com/t5/network-security/asa-5510/m-p/4006341#M1050584 poneh35 2020-01-04T05:45:49Z