https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487541#M267887 <P>Is there by chance a firewall on your internal resources that are natted to the public IPs that would prevent ICMP?</P> Wed, 02 Apr 2014 18:14:02 GMT jj27 2014-04-02T18:14:02Z https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487540#M267876 <P>Hi all.... hoping an easy answer to this one.&nbsp; I have seen a few views that don't help me.&nbsp; I have just migrated a Watchguard X seres to an Asa 5510.&nbsp; I have a 2811 in front of it to handle the Bgp peering previously handled by the WG.&nbsp; All is well.&nbsp; There are several public facing services behind the Asa hence the additional /27.&nbsp; The ouside interface of the Asa is one half of another /30.&nbsp; I defined all the /27 ddresses as objects and used them ok&nbsp;in access and nat rules.&nbsp; The public services are ok and I can get out to the internet from Dmz and Inside networks.</P><P>&nbsp;I have just realised that my externally hosted monitoring service that polls (pings mostly) the public servers (the servers responding to the /27 addresses) isn't working.&nbsp; I cant ping any of the /27 addresses from outside.&nbsp; I can ping the outside interface /30 address.&nbsp; There is an access-l rule&nbsp;any any for icmp -&nbsp;in on the outside interface.</P><P>I am missing something simple right?</P><P>Cheers</P><P>Damien.</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:01:33 GMT https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487540#M267876 DjDamo 2019-03-12T04:01:33Z https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487541#M267887 <P>Is there by chance a firewall on your internal resources that are natted to the public IPs that would prevent ICMP?</P> Wed, 02 Apr 2014 18:14:02 GMT https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487541#M267887 jj27 2014-04-02T18:14:02Z https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487542#M267889 <P>Damien</P><P>Another possible cause is if you have an acl applied to the inside interface that might be blocking the return ICMP packets.</P><P>If you are using ICMP inspection you should be fine but if not you would need to modify the inside acl.</P><P>Jon</P> Wed, 02 Apr 2014 19:34:39 GMT https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487542#M267889 Jon Marshall 2014-04-02T19:34:39Z https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487543#M267895 <P>Jon, no Acls on inside interface.&nbsp; But the issue unrelated to the inside.&nbsp; I cant ping these public addreses from the internet. Yet I can ping the xternal interface /30 address from the internet ok.&nbsp; I can also get to the natted services that are using the /27 addresses, just no icmp!&nbsp; There is an any-any in rule on outside for icmp.</P><P>I am thinking the way I have used the /27 addresses must be incorrect.&nbsp; Struggling to find any doco though.</P><P>Damien.</P> Thu, 03 Apr 2014 02:55:20 GMT https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487543#M267895 DjDamo 2014-04-03T02:55:20Z https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487544#M267897 <P>No.... some more detail in response above.&nbsp; The issue is icmp to the /27 public addresses from the internet.&nbsp; Can get to any natted service just no icmp.</P><P>&nbsp;</P><P>DA</P><P>&nbsp;</P> Thu, 03 Apr 2014 02:56:46 GMT https://community.cisco.com/t5/network-security/asa-5510-additional-outside-27-address-block-no-icmp-into-it/m-p/2487544#M267897 DjDamo 2014-04-03T02:56:46Z