https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4586156#M1088946 <P>Hi,</P><P>&nbsp;</P><PRE>(config)# fixup protocol icmp </PRE><P><A href="https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485" target="_blank">https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485</A></P><P>&nbsp;</P><P>BR,</P><P>Octavian</P> Tue, 05 Apr 2022 05:17:20 GMT Octavian Szolga 2022-04-05T05:17:20Z https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4585962#M1088945 <P>Hello</P><P>&nbsp;</P><P>Would you please help me for basic question?</P><P>from PC2 I can not ping to pc1 or pc3. confirm 3 PC had correct IP and gateway.</P><P>if I put a router in pc 1 and pc3 then enable icmp debug, icmp can receive and had been reply.</P><P>So the question is why icmp can not come back. It should able to come back as this is stateful firewall. Am I right?</P><P>If I create an acl to allow pc1 and pc3 inbound, pc2 can ping to pc1 and pc3.</P><P>&nbsp;</P><P>why PC1 can ping to g0/2? Wan interface allow ping by default?</P><P>Thank you.</P><P>&nbsp;</P><P>ciscoasa# show access-list<BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)</P><P>&nbsp;</P><P><BR />alert-interval 300<BR />ciscoasa# show run int<BR />!<BR />interface GigabitEthernet0/0<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.0.1 255.255.255.0<BR />!<BR />interface GigabitEthernet0/1<BR />nameif dmz<BR />security-level 50<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />interface GigabitEthernet0/2<BR />nameif outside<BR />security-level 0<BR />ip address 198.51.100.100 255.255.255.0<BR />!<BR />interface GigabitEthernet0/3<BR />shutdown<BR />no nameif<BR />no security-level<BR />no ip address<BR />!</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="QQ截图20220405113334.png" style="width: 688px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/148060iB5B72AC9EE056F45/image-size/large?v=v2&amp;px=999" role="button" title="QQ截图20220405113334.png" alt="QQ截图20220405113334.png" /></span></P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html</A></P> Tue, 05 Apr 2022 04:26:29 GMT https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4585962#M1088945 gdy1039 2022-04-05T04:26:29Z https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4586156#M1088946 <P>Hi,</P><P>&nbsp;</P><PRE>(config)# fixup protocol icmp </PRE><P><A href="https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485" target="_blank">https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485</A></P><P>&nbsp;</P><P>BR,</P><P>Octavian</P> Tue, 05 Apr 2022 05:17:20 GMT https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4586156#M1088946 Octavian Szolga 2022-04-05T05:17:20Z https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4586175#M1088947 <P>Dear Octavian</P><P>&nbsp;</P><P>Your prompt reply warm my heart.</P><P>Very appreciate for your help. It save my time and make me improve.</P><P>Thank you.</P> Tue, 05 Apr 2022 05:58:38 GMT https://community.cisco.com/t5/network-security/not-make-sense-ping-result/m-p/4586175#M1088947 gdy1039 2022-04-05T05:58:38Z