https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231888#M349937 <HTML><HEAD></HEAD><BODY><P>Thank you Jouni,</P><P>ICMP Inspection is enabled for ICMP &amp; ICMP ERROR.</P><P>But still I cannot PING.</P><P></P><P>SYSLOG shows that </P><P></P><P>INBOUND ICMP CONNECTION has been built but right after that </P><P>TEARDOWN ICMP CONNECTION shows up.</P><P></P><P>What other part do I need to check?</P></BODY></HTML> Tue, 14 May 2013 22:28:44 GMT johnlee43 2013-05-14T22:28:44Z https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231886#M349935 <P>Hi everyone,</P><P></P><P>I have ASA 5520.</P><P></P><P>I cannot ping the host(192.168.1.20) which is inside firewall from outside hosts. Help me please.</P><P><BR />Inside host (192.168.1.20) is translated into (198.24.210.226) using static NAT.<BR />From outside host, I used "PING 198.24.210.226".&nbsp; Is it because I used dynamic PAT for inside hosts?</P><P><BR />interface GigabitEthernet0/0<BR />nameif outside<BR />security-level 0<BR />ip address 198.24.210.230 255.255.255.248<BR />!<BR />interface GigabitEthernet0/1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0</P><P>access-list OUTSIDE-IN extended permit ip any any<BR />access-list OUTSIDE-IN extended permit icmp any any</P><P>access-list inside_access_in extended permit ip any any<BR />access-list inside_access_in extended permit icmp any any</P><P>global (outside) 1 interface<BR />nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,outside) 198.24.210.226 192.168.1.20 netmask 255.255.255.255<BR />access-group OUTSIDE-IN in interface outside<BR />access-group inside_access_in in interface inside<BR />route outside 0.0.0.0 0.0.0.0 198.24.210.225 1</P><P></P><P>Thank you for your response.</P> Tue, 12 Mar 2019 01:43:15 GMT https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231886#M349935 johnlee43 2019-03-12T01:43:15Z https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231887#M349936 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Make sure you have ICMP Inspection enabled.</P><P></P><P>Configure this if its not (or just to be sure)</P><P></P><P><STRONG>fixup protocol icmp</STRONG></P><P></P><P><STRONG>fixup protocol icmp error</STRONG></P><P></P><P>I wouldnt recommend permitting all "ip" traffic from the "outside"</P><P></P><P>The Dynamic PAT is no problem here. Static NAT for a host overrides Dynamic PAT. In other words the host will always use the Static NAT public IP address when connected to and when connecting out from the network.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 14 May 2013 20:58:20 GMT https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231887#M349936 Jouni Forss 2013-05-14T20:58:20Z https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231888#M349937 <HTML><HEAD></HEAD><BODY><P>Thank you Jouni,</P><P>ICMP Inspection is enabled for ICMP &amp; ICMP ERROR.</P><P>But still I cannot PING.</P><P></P><P>SYSLOG shows that </P><P></P><P>INBOUND ICMP CONNECTION has been built but right after that </P><P>TEARDOWN ICMP CONNECTION shows up.</P><P></P><P>What other part do I need to check?</P></BODY></HTML> Tue, 14 May 2013 22:28:44 GMT https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231888#M349937 johnlee43 2013-05-14T22:28:44Z https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231889#M349938 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>I went through your query and can suggest you one thing that you can restart your ASA if it is not a live production environemnt and if still the problem presists then I yhink there is an issue with Dynamic gloabal PAT that you have done.</P></BODY></HTML> Wed, 22 May 2013 02:38:16 GMT https://community.cisco.com/t5/network-security/ping-from-outside-into-inside-host/m-p/2231889#M349938 harvisin 2013-05-22T02:38:16Z