https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995467#M434584 <P>Could some security expert please help me understand icmp behavior for an ASA running 8.0 or 8.2? </P><P>My inside hosts (sitting behind the inside interface of ASA) can ping an external IP (on internet) . But when I ping that same external IP from the firewall, I don't get any reply.</P><P></P><P>Thanks,</P><P>Kashish</P> Mon, 11 Mar 2019 23:16:52 GMT Kashish_Patel 2019-03-11T23:16:52Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995467#M434584 <P>Could some security expert please help me understand icmp behavior for an ASA running 8.0 or 8.2? </P><P>My inside hosts (sitting behind the inside interface of ASA) can ping an external IP (on internet) . But when I ping that same external IP from the firewall, I don't get any reply.</P><P></P><P>Thanks,</P><P>Kashish</P> Mon, 11 Mar 2019 23:16:52 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995467#M434584 Kashish_Patel 2019-03-11T23:16:52Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995468#M434585 <HTML><HEAD></HEAD><BODY><P>Do you have "icmp" command configured on your ASA that might be blocking it.</P><P></P><P>You can configure:</P><P>icmp permit any outside</P></BODY></HTML> Fri, 08 Jun 2012 02:18:56 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995468#M434585 Jennifer Halim 2012-06-08T02:18:56Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995469#M434586 <HTML><HEAD></HEAD><BODY><P>As per packet tracer, ping should be successful.</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outside</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group citrix-dmz1-perm-all-tmp in interface citrix-dmz1</P><P>access-list citrix-dmz1-perm-all-tmp extended permit ip any any</P><P>Additional Information:</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 6</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 1746235146, packet dispatched to next module</P><P></P><P>Phase: 7</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: output and adjacency</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop 10.244.16.185 using egress ifc outside</P><P>adjacency Active</P><P>next-hop mac address 0015.63e8.d3d1 hits 12697093</P><P></P><P>Result:</P><P>input-interface: citrix-dmz1</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P></P><P>Still only the inside hosts (sitting behind the inside interface of ASA) can ping an&nbsp; external IP (on internet) . But when I ping that same external IP from&nbsp; the firewall, I don't get any reply.</P></BODY></HTML> Fri, 08 Jun 2012 02:48:44 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995469#M434586 Kashish_Patel 2012-06-08T02:48:44Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995470#M434587 <HTML><HEAD></HEAD><BODY><P>Can you please share your config. Thx</P></BODY></HTML> Fri, 08 Jun 2012 02:49:50 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995470#M434587 Jennifer Halim 2012-06-08T02:49:50Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995471#M434588 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>I have sent you the config file as a private message.</P><P></P><P>Thanks,</P><P>Ritika</P></BODY></HTML> Fri, 08 Jun 2012 03:02:53 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995471#M434588 Kashish_Patel 2012-06-08T03:02:53Z https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995472#M434589 <HTML><HEAD></HEAD><BODY><P>The reason why you can't ping from the ASA itself is because your ASA outside interface has private IP Address hence it's not routable on the Internet.</P><P>All your internal network has public IP assigned, therefore you can ping external host on the Internet.</P></BODY></HTML> Fri, 08 Jun 2012 03:05:02 GMT https://community.cisco.com/t5/network-security/ping-through-asa/m-p/1995472#M434589 Jennifer Halim 2012-06-08T03:05:02Z