https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114808#M394540 <HTML><HEAD></HEAD><BODY><P>Deleted one of my replies as it had been marked as the correct answer (even though it wasnt <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>)</P></BODY></HTML> Thu, 06 Dec 2012 20:57:38 GMT Jouni Forss 2012-12-06T20:57:38Z https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114804#M394536 <P>Hey all,</P><P></P><P>We have an ASA 5520 with multiple public IP addresses. I am using one with a one to one NAT translation and an access-list that is allowing ip any on that public IP address. The device sitting behind the firewall is a sever listening on 443 and is pingable internally. My issue is I am trying to access it from outside, I can access it's web interface on 443 just fine but cannot ping it externally.</P><P></P><P>I've also got the following listed.</P><P></P><P>access-list Outside_Access_In remark Access-List Controlling Public Traffic Into Network</P><P>access-list Outside_Access_In permit icmp any any</P><P>access-list Outside_Access_In permit icmp any any echo</P><P>access-list Outside_Access_In permit icmp any any echo-reply</P><P>access-list Outside_Access_In permit icmp any any source-quench</P><P>access-list Outside_Access_In permit icmp any any time-exceeded</P><P>access-list Outside_Access_In permit icmp any any unreachable</P><P>icmp permit 192.168.1.0 255.255.255.0 echo outside</P><P>icmp permit any outside</P><P>access-group Outside_Access_In in interface outside</P> Tue, 12 Mar 2019 00:34:00 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114804#M394536 Christie Brinker 2019-03-12T00:34:00Z https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114805#M394537 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have you enable ICMP Inspection?</P><P></P><P>It should automatically enable the echo reply to come through.</P><P></P><P>Have you confirmed that the "icmp/echo" ACL rule has its "hitcnt" increased when looking with the command "show access-list" command?</P><P></P><P>It can be configured on the CLI with the following</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P><STRONG>&nbsp; inspect icmp</STRONG></P><P></P><P>The <STRONG>"icmp permit"</STRONG> commands are used to allow ICMP directly to the interface. It doesnt affect actual ICMP going through the firewall.<STRONG><BR /></STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 06 Dec 2012 19:57:49 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114805#M394537 Jouni Forss 2012-12-06T19:57:49Z https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114806#M394538 <HTML><HEAD></HEAD><BODY><P>Christie,</P><P></P><P>Could you please share the NAT you are using for this server? Most of the cases problems like this are related to default gateway on the internal server. If the ping comes from an external IP the server/PC does not know how to response or response to another device and the packet is lost. Make sure the server has a default gateway and make sure it is configure fine. </P><P></P><P>The only reason I can think of on the ASA is that you are using port forwarding instead of one to one translation. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Thu, 06 Dec 2012 20:00:37 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114806#M394538 julomban 2012-12-06T20:00:37Z https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114807#M394539 <HTML><HEAD></HEAD><BODY><P>I added the inspect icmp but no luck there. I checked the hitcnt and it is showing 0 for the icmp echo-reply and echo.</P><P></P><P></P><P>Here's the statements with IP addresses changed for security.</P><P></P><P><BR />access-list outside_access_in extended permit ip any host 111.111.111.111</P><P></P><P>access-group outside_access_in in interface outside</P><P></P><P>static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255</P></BODY></HTML> Thu, 06 Dec 2012 20:09:47 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114807#M394539 Christie Brinker 2012-12-06T20:09:47Z https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114808#M394540 <HTML><HEAD></HEAD><BODY><P>Deleted one of my replies as it had been marked as the correct answer (even though it wasnt <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>)</P></BODY></HTML> Thu, 06 Dec 2012 20:57:38 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-ping-out-to-in-with-nat-translation/m-p/2114808#M394540 Jouni Forss 2012-12-06T20:57:38Z