topic Can't Ping FROM ASA Unit to Inet in Network Security https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206642#M350132 <P>Hello,</P><P>I have an interesting issue I can't figure out. My setup is simple; &lt;inside network (192.168.1.x)&gt; -------&gt; ASA---------&gt; Inet.</P><P>Clients on the 192.168.1.x subnet can ping 4.2.2.2 and get icmp replies with no problem. However, if I try to do an extended ping from the ASA unit itself I get nothing. What am I missing? Thanks</P><P></P><P></P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 173.163.x.x </P><P>!</P><P>interface Vlan3</P><P> no forward interface Vlan1</P><P> nameif public</P><P> security-level 10</P><P> ip address 192.168.5.1 255.255.255.0 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Vlan50</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 172.16.1.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> switchport access vlan 50</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P> switchport access vlan 3</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>boot system disk0:/asdm-631.bin</P><P>ftp mode passive</P><P>dns domain-lookup outside</P><P>dns server-group DefaultDNS</P><P> name-server 4.2.2.2</P><P> domain-name xxxxx</P><P>object-group network obj-192.168.2.0</P><P>object-group network obj-192.168.1.0</P><P>object-group network obj-192.168.3.0</P><P>object-group network obj-192.168.1.9</P><P>object-group network obj-192.168.1.9-01</P><P>object-group network obj-192.168.1.12</P><P>object-group network obj-192.168.1.9-02</P><P>object-group network obj-192.168.1.22</P><P>object-group network obj_any</P><P>object-group network obj_any-01</P><P>object-group network inside</P><P> network-object 192.168.1.0 255.255.255.0</P><P>object-group network vpnclients</P><P> network-object 192.168.2.0 255.255.255.0</P><P>access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq smtp </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq https </P><P>access-list smtp extended permit tcp any host 173.163.161.2 eq https </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq imap4 </P><P>access-list smtp extended permit icmp any any unreachable </P><P>access-list smtp extended permit icmp any any time-exceeded </P><P>access-list smtp extended permit icmp any any echo-reply </P><P>access-list smtp extended permit tcp any host 173.163.x.x eq 9676 </P><P>access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 </P><P>access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 </P><P>access-list Throttle extended permit ip 192.168.5.0 255.255.255.0 any </P><P>access-list Throttle extended permit ip any 192.168.5.0 255.255.255.0 </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.4 eq ldap </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq smtp </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq 995 </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.2 eq 9676 </P><P>access-list DMZ_INSIDE extended deny ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 </P><P>access-list DMZ_INSIDE extended permit ip any any </P><P>access-list outside_30_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 </P><P>access-list test webtype permit tcp 192.168.1.0 255.255.255.0 log default</P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffer-size 10000</P><P>logging buffered debugging</P><P>logging trap warnings</P><P>logging history errors</P><P>logging asdm notifications</P><P>logging host inside 192.168.1.7</P><P>logging host inside 192.168.1.3 format emblem</P><P>logging host inside 192.168.1.44</P><P>logging debug-trace</P><P>logging permit-hostdown</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu public 1500</P><P>mtu DMZ 1500</P><P>ip local pool xxxxxx 192.168.2.0-192.168.2.253 mask 255.255.255.0</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp deny any outside</P><P>asdm image disk0:/asdm-621.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>global (outside) 2 173.163.x.x netmask 255.255.255.248</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (public) 2 0.0.0.0 0.0.0.0</P><P>nat (DMZ) 1 0.0.0.0 0.0.0.0</P><P>static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface imap4 192.168.1.9 imap4 netmask 255.255.255.255 </P><P>static (inside,outside) tcp 173.163.x.x https 192.168.1.12 https netmask 255.255.255.255 </P><P>static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 </P><P>static (DMZ,outside) 173.163.161.3 172.16.1.2 netmask 255.255.255.255 </P><P>access-group smtp in interface outside</P><P>access-group DMZ_INSIDE in interface DMZ</P><P>route outside 0.0.0.0 0.0.0.0 173.163.161.6 1</P><P>route inside 10.10.1.0 255.255.255.0 192.168.1.201 1</P><P>route inside 10.10.10.0 255.255.255.0 192.168.1.46 1</P><P>route inside 10.10.20.0 255.255.255.0 192.168.1.201 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server VpnUsers protocol radius</P><P>aaa-server VpnUsers (inside) host 192.168.1.4</P><P> timeout 5&nbsp;&nbsp;&nbsp; </P><P> key E2:8Fbgyhbs</P><P>aaa-server AD_Auth protocol nt</P><P>aaa-server AD_Auth (inside) host 192.168.1.4</P><P> nt-auth-domain-controller 192.168.1.4</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>http 74.212.x.x 255.255.255.0 outside</P><P>snmp-server host inside 192.168.1.2 community 53cur3-n3t</P><P>snmp-server host inside 192.168.1.7 community 53cur3-n3t</P><P>snmp-server host outside 74.212.x.xcommunity L3t-th3-l1ght-1n</P><P>snmp-server location DC Server Room</P><P>snmp-server contact Dan Steier</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sysopt connection tcpmss 1300</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto ipsec df-bit clear-df inside</P><P>crypto dynamic-map outside_dyn_map 20 set pfs </P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 40 set pfs </P><P>crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 60 set pfs </P><P>crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 80 set pfs </P><P>crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 100 set pfs </P><P>crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 120 set pfs </P><P>crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 140 set pfs </P><P>crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000</P><P>crypto map outside_map 20 match address outside_20_cryptomap</P><P>crypto map outside_map 20 set pfs </P><P>crypto map outside_map 20 set peer 74.42.x.x</P><P>crypto map outside_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 20 set security-association lifetime seconds 28800</P><P>crypto map outside_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map outside_map 30 match address outside_30_cryptomap</P><P>crypto map outside_map 30 set peer 66.152.x.x </P><P>crypto map outside_map 30 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet 192.168.1.0 255.255.255.0 inside</P><P>telnet timeout 10</P><P>ssh 192.168.1.0 255.255.255.0 inside</P><P>ssh 74.212.x.0 255.255.255.0 outside</P><P>ssh timeout 10</P><P>ssh version 2</P><P>console timeout 0</P><P>management-access inside</P><P>dhcpd address 192.168.5.10-192.168.5.200 public</P><P>dhcpd dns 208.67.220.220 208.67.222.222 interface public</P><P>dhcpd enable public</P><P>!</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>tftp-server inside 192.168.1.7 c:\tftp-root</P><P>webvpn</P><P>group-policy phccabington internal</P><P>group-policy phccabington attributes</P><P> wins-server value 192.168.1.4 192.168.1.6</P><P> dns-server value 192.168.1.4 192.168.1.6</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value split-tunnel</P><P> default-domain value phcc.int</P><P>group-policy phccvpn internal</P><P>group-policy phccvpn attributes</P><P> wins-server value 192.168.1.4 192.168.1.6</P><P> dns-server value 192.168.1.4 192.168.1.6</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value split-tunnel</P><P> default-domain value</P><P>username password A5oXdNd3.3sEhzYt encrypted privilege 0</P><P>username admin password Qyt908tEpeoOu0oA encrypted</P><P>username d password IdYn1VlBhGzwvlxo encrypted privilege 15</P><P>username d attributes</P><P> vpn-group-policy phccabington</P><P>username lstech password ucUIkhrdvF2Z0BY9 encrypted privilege 15</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group DefaultWEBVPNGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group phccvpn type remote-access</P><P>tunnel-group phccvpn general-attributes</P><P> address-pool phccabington</P><P> authentication-server-group PhccVpnUsers</P><P> default-group-policy phccvpn</P><P>tunnel-group phccvpn ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group 74.42.x.x type ipsec-l2l</P><P>tunnel-group 74.42.x.xipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group 66.152.x.x type ipsec-l2l</P><P>tunnel-group 66.152.x.x ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map CM-Public</P><P> match access-list Throttle</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map PM-BWcontrol</P><P> class CM-Public</P><P>&nbsp; police input 1000000</P><P>&nbsp; police output 5000000</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect icmp </P><P></P><P></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 01:41:31 GMT Danny Steier 2019-03-12T01:41:31Z Can't Ping FROM ASA Unit to Inet https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206642#M350132 <P>Hello,</P><P>I have an interesting issue I can't figure out. My setup is simple; &lt;inside network (192.168.1.x)&gt; -------&gt; ASA---------&gt; Inet.</P><P>Clients on the 192.168.1.x subnet can ping 4.2.2.2 and get icmp replies with no problem. However, if I try to do an extended ping from the ASA unit itself I get nothing. What am I missing? Thanks</P><P></P><P></P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 173.163.x.x </P><P>!</P><P>interface Vlan3</P><P> no forward interface Vlan1</P><P> nameif public</P><P> security-level 10</P><P> ip address 192.168.5.1 255.255.255.0 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Vlan50</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 172.16.1.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> switchport access vlan 50</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P> switchport access vlan 3</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>boot system disk0:/asdm-631.bin</P><P>ftp mode passive</P><P>dns domain-lookup outside</P><P>dns server-group DefaultDNS</P><P> name-server 4.2.2.2</P><P> domain-name xxxxx</P><P>object-group network obj-192.168.2.0</P><P>object-group network obj-192.168.1.0</P><P>object-group network obj-192.168.3.0</P><P>object-group network obj-192.168.1.9</P><P>object-group network obj-192.168.1.9-01</P><P>object-group network obj-192.168.1.12</P><P>object-group network obj-192.168.1.9-02</P><P>object-group network obj-192.168.1.22</P><P>object-group network obj_any</P><P>object-group network obj_any-01</P><P>object-group network inside</P><P> network-object 192.168.1.0 255.255.255.0</P><P>object-group network vpnclients</P><P> network-object 192.168.2.0 255.255.255.0</P><P>access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq smtp </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq https </P><P>access-list smtp extended permit tcp any host 173.163.161.2 eq https </P><P>access-list smtp extended permit tcp any host 173.163.161.1 eq imap4 </P><P>access-list smtp extended permit icmp any any unreachable </P><P>access-list smtp extended permit icmp any any time-exceeded </P><P>access-list smtp extended permit icmp any any echo-reply </P><P>access-list smtp extended permit tcp any host 173.163.x.x eq 9676 </P><P>access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 </P><P>access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 </P><P>access-list Throttle extended permit ip 192.168.5.0 255.255.255.0 any </P><P>access-list Throttle extended permit ip any 192.168.5.0 255.255.255.0 </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.4 eq ldap </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq smtp </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.9 eq 995 </P><P>access-list DMZ_INSIDE extended permit tcp host 172.16.1.2 host 192.168.1.2 eq 9676 </P><P>access-list DMZ_INSIDE extended deny ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 </P><P>access-list DMZ_INSIDE extended permit ip any any </P><P>access-list outside_30_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 </P><P>access-list test webtype permit tcp 192.168.1.0 255.255.255.0 log default</P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffer-size 10000</P><P>logging buffered debugging</P><P>logging trap warnings</P><P>logging history errors</P><P>logging asdm notifications</P><P>logging host inside 192.168.1.7</P><P>logging host inside 192.168.1.3 format emblem</P><P>logging host inside 192.168.1.44</P><P>logging debug-trace</P><P>logging permit-hostdown</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu public 1500</P><P>mtu DMZ 1500</P><P>ip local pool xxxxxx 192.168.2.0-192.168.2.253 mask 255.255.255.0</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp deny any outside</P><P>asdm image disk0:/asdm-621.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>global (outside) 2 173.163.x.x netmask 255.255.255.248</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (public) 2 0.0.0.0 0.0.0.0</P><P>nat (DMZ) 1 0.0.0.0 0.0.0.0</P><P>static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface imap4 192.168.1.9 imap4 netmask 255.255.255.255 </P><P>static (inside,outside) tcp 173.163.x.x https 192.168.1.12 https netmask 255.255.255.255 </P><P>static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 </P><P>static (DMZ,outside) 173.163.161.3 172.16.1.2 netmask 255.255.255.255 </P><P>access-group smtp in interface outside</P><P>access-group DMZ_INSIDE in interface DMZ</P><P>route outside 0.0.0.0 0.0.0.0 173.163.161.6 1</P><P>route inside 10.10.1.0 255.255.255.0 192.168.1.201 1</P><P>route inside 10.10.10.0 255.255.255.0 192.168.1.46 1</P><P>route inside 10.10.20.0 255.255.255.0 192.168.1.201 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server VpnUsers protocol radius</P><P>aaa-server VpnUsers (inside) host 192.168.1.4</P><P> timeout 5&nbsp;&nbsp;&nbsp; </P><P> key E2:8Fbgyhbs</P><P>aaa-server AD_Auth protocol nt</P><P>aaa-server AD_Auth (inside) host 192.168.1.4</P><P> nt-auth-domain-controller 192.168.1.4</P><P>aaa authentication http console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>http 74.212.x.x 255.255.255.0 outside</P><P>snmp-server host inside 192.168.1.2 community 53cur3-n3t</P><P>snmp-server host inside 192.168.1.7 community 53cur3-n3t</P><P>snmp-server host outside 74.212.x.xcommunity L3t-th3-l1ght-1n</P><P>snmp-server location DC Server Room</P><P>snmp-server contact Dan Steier</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sysopt connection tcpmss 1300</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto ipsec df-bit clear-df inside</P><P>crypto dynamic-map outside_dyn_map 20 set pfs </P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 40 set pfs </P><P>crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 60 set pfs </P><P>crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 80 set pfs </P><P>crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 100 set pfs </P><P>crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 100 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 100 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 120 set pfs </P><P>crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 120 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 140 set pfs </P><P>crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 140 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 140 set security-association lifetime kilobytes 4608000</P><P>crypto map outside_map 20 match address outside_20_cryptomap</P><P>crypto map outside_map 20 set pfs </P><P>crypto map outside_map 20 set peer 74.42.x.x</P><P>crypto map outside_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 20 set security-association lifetime seconds 28800</P><P>crypto map outside_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto map outside_map 30 match address outside_30_cryptomap</P><P>crypto map outside_map 30 set peer 66.152.x.x </P><P>crypto map outside_map 30 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet 192.168.1.0 255.255.255.0 inside</P><P>telnet timeout 10</P><P>ssh 192.168.1.0 255.255.255.0 inside</P><P>ssh 74.212.x.0 255.255.255.0 outside</P><P>ssh timeout 10</P><P>ssh version 2</P><P>console timeout 0</P><P>management-access inside</P><P>dhcpd address 192.168.5.10-192.168.5.200 public</P><P>dhcpd dns 208.67.220.220 208.67.222.222 interface public</P><P>dhcpd enable public</P><P>!</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>tftp-server inside 192.168.1.7 c:\tftp-root</P><P>webvpn</P><P>group-policy phccabington internal</P><P>group-policy phccabington attributes</P><P> wins-server value 192.168.1.4 192.168.1.6</P><P> dns-server value 192.168.1.4 192.168.1.6</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value split-tunnel</P><P> default-domain value phcc.int</P><P>group-policy phccvpn internal</P><P>group-policy phccvpn attributes</P><P> wins-server value 192.168.1.4 192.168.1.6</P><P> dns-server value 192.168.1.4 192.168.1.6</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value split-tunnel</P><P> default-domain value</P><P>username password A5oXdNd3.3sEhzYt encrypted privilege 0</P><P>username admin password Qyt908tEpeoOu0oA encrypted</P><P>username d password IdYn1VlBhGzwvlxo encrypted privilege 15</P><P>username d attributes</P><P> vpn-group-policy phccabington</P><P>username lstech password ucUIkhrdvF2Z0BY9 encrypted privilege 15</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group DefaultWEBVPNGroup ipsec-attributes</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group phccvpn type remote-access</P><P>tunnel-group phccvpn general-attributes</P><P> address-pool phccabington</P><P> authentication-server-group PhccVpnUsers</P><P> default-group-policy phccvpn</P><P>tunnel-group phccvpn ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group 74.42.x.x type ipsec-l2l</P><P>tunnel-group 74.42.x.xipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 15 retry 10</P><P>tunnel-group 66.152.x.x type ipsec-l2l</P><P>tunnel-group 66.152.x.x ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map CM-Public</P><P> match access-list Throttle</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map PM-BWcontrol</P><P> class CM-Public</P><P>&nbsp; police input 1000000</P><P>&nbsp; police output 5000000</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect icmp </P><P></P><P></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 01:41:31 GMT https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206642#M350132 Danny Steier 2019-03-12T01:41:31Z Can't Ping FROM ASA Unit to Inet https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206643#M350133 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you copy/paste the exact command used on the ASA?</P><P></P><P>The ASA generally controls ICMP messages of all kind towards it interfaces with the command "icmp"</P><P></P><P>You seem to currently have it block every type of ICMP message from any source address on the "outside"</P><P></P><P><STRONG>icmp deny any outside</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 10 May 2013 16:29:57 GMT https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206643#M350133 Jouni Forss 2013-05-10T16:29:57Z Can't Ping FROM ASA Unit to Inet https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206644#M350134 <HTML><HEAD></HEAD><BODY><P>The actual "icmp" could be configured like this I guess</P><P></P><P><STRONG>no icmp deny any outside</STRONG></P><P></P><P><STRONG>icmp permit any echo-reply outside</STRONG></P><P><STRONG>icmp permit any time-exceeded outside</STRONG></P><P><STRONG>icmp permit any unreachable outside</STRONG></P><P><STRONG>icmp deny any outside</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 10 May 2013 16:41:08 GMT https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206644#M350134 Jouni Forss 2013-05-10T16:41:08Z Can't Ping FROM ASA Unit to Inet https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206645#M350135 <HTML><HEAD></HEAD><BODY><P>Oops! I didn't see that...wow (feeling really dumb right now). Thanks for pointing out what I overlooked!! I removed it and I can now ping from the ASA.&nbsp; Thanks</P></BODY></HTML> Fri, 10 May 2013 18:22:37 GMT https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206645#M350135 Danny Steier 2013-05-10T18:22:37Z Can't Ping FROM ASA Unit to Inet https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206646#M350136 <HTML><HEAD></HEAD><BODY><P>No problem,</P><P></P><P>Please mark the question as answered <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 10 May 2013 18:27:34 GMT https://community.cisco.com/t5/network-security/can-t-ping-from-asa-unit-to-inet/m-p/2206646#M350136 Jouni Forss 2013-05-10T18:27:34Z