topic Inside users not able to ping to outside interface ip. in Network Security

Inside users not able to ping to outside interface ip.

prashantrecon — Mon, 11 Mar 2019 21:21:33 GMT

We are not able to ping to the outside interface of the firewall from inside network (lan network).(ie trafic directed at the interface)

I have executed the command icmp permit any echo-reply outside

icmp permit any echo outside.

Still we are not able to ping outside interface.

I have also created the accesslist so that the internet user are able to ping to outside interface of the firewall .This is working fine.

Please suggest so that inside users should be able to ping outside interface.

Inside users not able to ping to outside interface ip.

varrao — Wed, 07 Sep 2011 10:08:54 GMT

Hi Prashant,

Due to security features of the ASA, you would never be able to ping remote interfaces on the ASA, which means no ping would work from inside LAN to outside interface and from internet to inside interface. This is not possible.

You would only be able to ping inside interface from LAN, or the default gateway for the firewall, if you are afcing any issues with pinging the internet ip's from the LAN, let me know.

Hope this was useful.

Thanks,

Varun

Please do rate helpful posts.

Inside users not able to ping to outside interface ip.

Jennifer Halim — Wed, 07 Sep 2011 10:08:59 GMT

Yes, that is the correct default behaviour.

You will not be able to ping the opposite interface of the firewall.

Eg: if your PC is connected to the inside interface, you can only ping the inside interface of the firewall, or anything through the firewall, but not any other interfaces but inside interface of the firewall.

If you want to ping the firewall outside interface, you can ping it from the internet only.

Inside users not able to ping to outside interface ip.

prashantrecon — Wed, 07 Sep 2011 11:14:02 GMT

As mentioned in Richard Deal book he has explained the topic called called trafic directed at the interface .

Could u please clear this.

Inside users not able to ping to outside interface ip.

varrao — Wed, 07 Sep 2011 11:18:01 GMT

Hi Prashant,

I am not sure about what is written in the book, haven't read it but what it may be indicating is the ASA interface to which the LAN machines are connected to. Can you paste the excerpts from the book, because am sure it does not mention anything about the remote interfaces, this is not possible and cannot be done. Do let me know if you have any doubts.

Hope this helps

Thanks,

Varun

Inside users not able to ping to outside interface ip.

prashantrecon — Wed, 07 Sep 2011 11:29:28 GMT

Could u please explain the below concept

Restricting ICMP Traffic Directed at the Appliance

The remainder of this section will focus on using the ICMP filtering feature. To control

ICMP messages destined to an interface on the appliance, use the icmp command:

ciscoasa(config)# icmp {permit | deny}

src_IP_address src_subnet_mask

[ICMP_message_type] logical_if_name

You must specify a source IP address and a subnet mask. Unlike with an extended ACL,

there is no destination IP address, because the security appliance, itself, is the destination.

You can qualify which ICMP messages are allowed or denied by entering a value for

the ICMP_message_type parameter. The message types can be entered as either a name

or a number. If you omit the message type, the appliance will assume that you want to allow

or deny all ICMP messages. The last parameter is the name of the interface for which

you want to restrict ICMP messages.

The appliance processes the icmp commands top-down for an interface. In other

words, when the appliance receives an ICMP packet destined to one of its interfaces, it

checks to see if any icmp commands are associated with the interface. If none is defined

for the interface, the appliance processes the ICMP message and responds with the appropriate

ICMP response. If an ICMP filter is on the interface, the appliance processes

the icmp commands based on the order in which you entered them. If the appliance goes

through the entire list and doesn’t find a match, the appliance drops the ICMP message;

this is like the implicit deny statement at the end of an ACL.

To remove a specific icmp command, preface it with the no parameter. To delete all the

icmp commands that you have configured, use the clear configure icmp command.

NOTE As with ACLs, an implicit deny is at the end of the icmp command list. Therefore, if you use

the icmp command, you should at least specify one permit statement per interface, unless you

want your appliance to be completely invisible from ICMP traffic on the specified interface.

ICMP Filtering Example

Now let’s take a look at an example on how to use the icmp command to restrict ICMP

messages directed at an appliance interface. In this example, you want to be able to test

connectivity from the appliance to other destinations on the Internet, and you want the

appliance to process only certain ICMP packets to aid in connectivity testing—all other

ICMP messages should be dropped. Here’s an example of how to accomplish this:

ciscoasa(config)# icmp permit any conversion-error outside

ciscoasa(config)# icmp permit any echo-reply outside

ciscoasa(config)# icmp permit any parameter-problem outside

ciscoasa(config)# icmp permit any source-quench outside

ciscoasa(config)# icmp permit any time-exceeded outside

ciscoasa(config)# icmp permit any unreachable outside

ciscoasa(config)# icmp deny any outside

Inside users not able to ping to outside interface ip.

varrao — Wed, 07 Sep 2011 11:38:11 GMT

Hi Prashant,

Whatever explanation you see in this is for this case, if the host is connected to that interface only, which means:

Users on the internet need to ping outside interface

users in the lan need to ping inside interface

nowhere it is written that you can ping outside interface from the inside network lan, it is only if you are behind that interface. Don't worry you can take our word on this for the Cisco ASA

Thanks,

Varun

Inside users not able to ping to outside interface ip.

prashantrecon — Wed, 07 Sep 2011 12:14:00 GMT

Thank you varun,

My doubt is cleared now.

Inside users not able to ping to outside interface ip.

varrao — Wed, 07 Sep 2011 12:17:10 GMT

No issues

You can mark this thread as answered and do rate helpful posts.

Thanks,

Varun