topic I'm pretty sure you just in Network Security

ASA Outside Interface Ping not working ...

Jim R — Tue, 12 Mar 2019 07:22:24 GMT

Hi all,

Not entirely convinced that I've not missed something very simple along the way but am looking for some help. Essentially I can't ping the outside interface of my ASA from another network several hops away. However I can ping devices on the 'inside' interface. I am guessing this some sort of ICMP policy stopping this or perhaps just the default behaviour of the ASA but I'm not sure what I've missed. I am running version 9.4.

Topology is as follows:

192.168.1.0 - Inside

192.168.10.0 - Outside

MPLS Network

192.168.20.0 - Remote site

Access lists as follows:

outside_out extended permit icmp any any object-group networksvc-ping

outside_in extended permit icmp any any object-group networksvc-ping

inside_outextended permit icmp any any object-group networksvc-ping

inside_in extended permit icmp any any object-group networksvc-ping

Applied to:

access-group outside_in in interface Outside
access-group outside_out out interface Outside
access-group inside_in in interface inside
access-group inside_out out interface inside

Also policy-maps:

policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

Single default route via the inside. Couple of statics pointing to internal networks behind the inside interface. All inside interface IPs can be pinged. However from the outside I cannot ping the outside interface. Any ideas/thoughts? Can see nothing on the logs or via debug ICMP which makes me think its some sort of default behaviour that drops this traffic automatically. No nat if configured.

Thanks in advance, happy to post more config if needed.

Many thanks,

FYI networksvc-grp is as

Jim R — Sun, 21 Feb 2016 21:15:23 GMT

FYI networksvc-grp is as follows:

object-group icmp-type networksvc-ping
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable

Where is the PC located that

Marius Gunnerud — Sun, 21 Feb 2016 21:42:52 GMT

Where is the PC located that you are pinging from? Is the outside interface the ingress interface for the ICMP packets? You may already know, but you can not ping an interface that is not the ingress interface on the ASA.

If this is not the case, try adding the command icmp permit any outside.

Please select a correct answer and rate helpful posts

Hi Maria

Jim R — Sun, 21 Feb 2016 22:34:13 GMT

Hi Maria

The PC is on the outside so the packet would be inbound on the outside interface. I did try the command you discussed previously but with no success. Thanks for taking the time to reply though

If you put a laptop on the

Marius Gunnerud — Sun, 21 Feb 2016 22:37:56 GMT

If you put a laptop on the same network as the outside interface, are you then able to ping the outside IP of the ASA?

Please select a correct answer and rate helpful posts

I'm pretty sure you just

Florin Barhala — Mon, 22 Feb 2016 21:22:42 GMT

I'm pretty sure you just messed the 4 ACLs you're using on in/out for the two interfaces.

I suggest you use the now classic in direction for each of the two interfaces and so you get rid of two additional ACLs. Then carefully review the rest of applied ACLs.

If you still have issues run clear configure access-group and test again.

Hi Florin,

Jim R — Mon, 22 Feb 2016 21:39:07 GMT

Hi Florin,

Originally the configuration had the traditional 'in' rules only. The outbound rules were added to see if they made any difference which they didn't. I've had it set where we have allowed ICMP in on both in the inside and outside interfaces yet still no dice.

Thanks for your input though.

I'm not physically able to

Jim R — Mon, 22 Feb 2016 21:40:37 GMT

I'm not physically able to get near the device to try this at the moment Marius, however I will give this a go (I am reasonably sure this has worked in the past though as I think we tested this during deployment)

Cheer,

Another thing to check is if

Marius Gunnerud — Mon, 22 Feb 2016 21:54:45 GMT

Another thing to check is if the ASA has a route back to the network you are pinging from.

Please select a correct answer and rate helpful posts