https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702082#M534724 <HTML><HEAD></HEAD><BODY><P>Randy, </P><P>Can you please post out put of the following from this easy vpnclient asa ?</P><P>1&gt; sh crypto isakmp sa </P><P></P><P>2&gt; sh crypto ipsec sa </P><P></P><P>Then issue 10-20 pings to the asa :- </P><P></P><P>3&gt; sh crypto ipsec sa </P><P></P><P>Please when you are changing the ip's before posting , do like 1.1.1.1 = 1.x.x.1 , so that It's easier to understand the policies pushed by the headend to the client.</P><P></P><P>Thanks </P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 16:21:47 GMT manish arora 2011-07-29T16:21:47Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702063#M534673 <P>How do I allow my outside interface to be pingable from the outside? I've tried configuring an access to allow icmp on the outside interface with no success. I'm still seeing the deny inbound icmp type 8 code 0 messages in the syslog.&nbsp; Thanks. </P> Mon, 11 Mar 2019 21:05:27 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702063#M534673 rmessina 2019-03-11T21:05:27Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702064#M534674 <HTML><HEAD></HEAD><BODY><P>Can you please post the output of sh service-policy | in icmp , if nothing shows up then do :- </P><P>asa(config)# fixup protocol icmp</P><P></P><P>Also, if that doesn't help post the syslog + access-list and access-group for that access-list.</P><P></P><P>Manish </P></BODY></HTML> Thu, 28 Jul 2011 22:34:34 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702064#M534674 manish arora 2011-07-28T22:34:34Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702065#M534675 <HTML><HEAD></HEAD><BODY><P>Inspect: icmp, packet 3745, drop 337, reset-drop 0.&nbsp; Thanks</P></BODY></HTML> Thu, 28 Jul 2011 23:58:34 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702065#M534675 rmessina 2011-07-28T23:58:34Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702066#M534676 <HTML><HEAD></HEAD><BODY><P>Randy, </P><P></P><P>Can you please post the&nbsp; "sh logging" output and also the access-list + access-group for the outside interface.</P><P>Also are you tring to ping the outside interface from inside the firewall or from outside nuetral location ?</P><P></P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 00:33:03 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702066#M534676 manish arora 2011-07-29T00:33:03Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702067#M534677 <HTML><HEAD></HEAD><BODY><P>lots of this....</P><P></P><P>%ASA-3-313001: Denied ICMP type=8, code=0 from x.x.x.x on interface outside</P><P>%ASA-3-313001: Denied ICMP type=8, code=0 from x.x.x.x on interface outside</P><P></P><P>only thing in the access-list for the outside interface is </P><P>allow any any icmp then the implicit deny at the end.</P><P></P><P>I just want the outside interface pingable from an outside location for temporary testing.&nbsp; </P><P></P><P>Thanks for your help!</P></BODY></HTML> Fri, 29 Jul 2011 00:47:30 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702067#M534677 rmessina 2011-07-29T00:47:30Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702068#M534678 <HTML><HEAD></HEAD><BODY><P>It might be foolish to ask but did you apply the access-list on the interface ?? </P><P>if yes then :- </P><P>1&gt; Please provide the version running on the asa ? </P><P>2&gt; paste output from&nbsp; :- </P><P>&nbsp;&nbsp;&nbsp;&nbsp; asa# packet-tracer input outside icmp x.x.x.x ( remote ip add)&nbsp; 8 0 X.X.X.X ( outside interface ip ) detailed</P><P></P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 01:09:12 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702068#M534678 manish arora 2011-07-29T01:09:12Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702069#M534679 <HTML><HEAD></HEAD><BODY><P>yes I created the access-rule in asdm</P><P>ver 8.2(2)</P><P></P><P></P><P></P><P>Phase: 1</P><P>Type: CP-PUNT</P><P>Subtype: l2-selective</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcac596e0, priority=12, domain=punt, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=487, user_data=0xca8d9b20, cs_id=0x0, l3_type=0x8</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src mac=0000.0000.0000, mask=0000.0000.0000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst mac=0000.0000.0000, mask=0000.0000.0000</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc9982370, priority=1, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=5439727, user_data=0x0, cs_id=0x0, l3_type=0x8</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src mac=0000.0000.0000, mask=0000.0000.0000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst mac=0000.0000.0000, mask=0100.0000.0000</P><P></P><P></P><P>Phase: 3</P><P>Type: FLOW-LOOKUP</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P></P><P>Phase: 4</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.255 identity</P><P></P><P></P><P>Phase: 5</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc9983b90, priority=120, domain=permit, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=7629, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P></P><P>Phase: 6</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc9984aa8, priority=0, domain=inspect-ip-options, deny=true</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=1348069, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P></P><P>Phase: 7</P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcaa2a028, priority=69, domain=ipsec-tunnel-flow, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=26, user_data=0xce47464, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=, mask=255.255.255.255, port=0, dscp=0x0</P><P></P><P></P><P>Phase: 8</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc9984280, priority=66, domain=inspect-icmp, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=7662, user_data=0xc9984168, cs_id=0x0, use_real_addr, flags=0x0, protocol=1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P></P><P>Phase: 9</P><P>Type: INSPECT</P><P>Subtype: np-inspect</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc9984720, priority=66, domain=inspect-icmp-error, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=1308719, user_data=0xc9984608, cs_id=0x0, use_real_addr, flags=0x0, protocol=1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P></P><P>Phase: 10</P><P>Type: VPN</P><P>Subtype: encrypt</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Reverse Flow based lookup yields rule:</P><P> out id=0xca811740, priority=70, domain=encrypt, deny=false</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=26, user_data=0xce2a3ec, cs_id=0xca5aa648, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip=, mask=255.255.255.255, port=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: NP Identity Ifc</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (ipsec-spoof) IPSEC Spoof detected</P></BODY></HTML> Fri, 29 Jul 2011 01:23:22 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702069#M534679 rmessina 2011-07-29T01:23:22Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702070#M534680 <HTML><HEAD></HEAD><BODY><P>Do you have the source and destination ip address in any vpn interesting traffic acl ? </P><P></P><P>Drop-reason: (ipsec-spoof) IPSEC Spoof detected :- </P><P>This counter will increment when the security appliance receives a&nbsp; packet which should have been encrypted but was not. The packet matched&nbsp; the inner header security policy check of a configured and established&nbsp; IPSec connection on the security appliance but was received unencrypted.&nbsp; This is a security issue. </P><P></P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 01:36:21 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702070#M534680 manish arora 2011-07-29T01:36:21Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702071#M534683 <HTML><HEAD></HEAD><BODY><P>I'm using Easy VPN</P></BODY></HTML> Fri, 29 Jul 2011 01:56:41 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702071#M534683 rmessina 2011-07-29T01:56:41Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702072#M534685 <HTML><HEAD></HEAD><BODY><P>You should post your configuration ( remove passwords and change public ip's like 1.1.1.1 = 1.x.x.1 ) , I think there is some misconfiguration that is causing the firewall to see ICMP packets from your source as encrypted where as it should be encrypted.</P><P></P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 02:19:49 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702072#M534685 manish arora 2011-07-29T02:19:49Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702073#M534689 <HTML><HEAD></HEAD><BODY><P>Check if ICMP Inspect is enabled in the global policy-map.</P></BODY></HTML> Fri, 29 Jul 2011 13:03:18 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702073#M534689 Tim Schneider 2011-07-29T13:03:18Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702074#M534697 <HTML><HEAD></HEAD><BODY><P>ICMP inspect is enabled.&nbsp; Thanks Tim. </P></BODY></HTML> Fri, 29 Jul 2011 13:12:40 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702074#M534697 rmessina 2011-07-29T13:12:40Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702075#M534705 <HTML><HEAD></HEAD><BODY><P>The address on the outside interface that we are trying to ping is assigned via DHCP.. Below is the running config.&nbsp; We are using Easy VPN to establish a VPN connection back to our office.&nbsp;&nbsp; </P><P></P><P></P><P>ASA Version 8.2(2) </P><P>!</P><P>hostname ASA5505</P><P>domain-name </P><P>enable password encrypted</P><P>passwd encrypted</P><P>names</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.11.49 255.255.255.240 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address dhcp setroute </P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>boot system disk0:/asa822-k8.bin</P><P>ftp mode passive</P><P>clock timezone CST -6</P><P>clock summer-time CDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name</P><P>access-list outside_access_in extended permit icmp any any </P><P>pager lines 24</P><P>logging enable</P><P>logging buffer-size 16000</P><P>logging buffered informational</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any echo-reply outside</P><P>asdm image disk0:/asdm-634-53.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>access-group outside_access_in in interface outside</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>http 10.0.0.0 255.0.0.0 inside</P><P>http 192.168.11.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community </P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>telnet 10.0.0.0 255.0.0.0 inside</P><P>telnet 192.168.11.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh 10.0.0.0 255.0.0.0 inside</P><P>ssh timeout 5</P><P>console timeout 30</P><P>management-access inside</P><P>dhcpd lease 86400</P><P>dhcpd domain us</P><P>dhcpd auto_config outside</P><P>dhcpd option 150 ip 10.20.20.11 10.20.20.12</P><P>!</P><P>dhcpd address 192.168.11.50-192.168.11.62 inside</P><P>dhcpd dns 10.20.16.4 10.20.16.3 interface inside</P><P>dhcpd domain interface inside</P><P>dhcpd enable inside</P><P>!</P><P>vpnclient server x.x.x.x</P><P>vpnclient mode network-extension-mode</P><P>vpnclient nem-st-autoconnect</P><P>vpnclient vpngroup Kiosk password </P><P>vpnclient username branch password </P><P>vpnclient enable</P><P>threat-detection basic-threat</P><P>threat-detection statistics host</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 10.20.0.1 source inside prefer</P><P>webvpn</P><P>username </P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect icmp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com">callhome@cisco.com</A></P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCESer">https://tools.cisco.com/its/service/oddce/services/DDCESer</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>: end</P><P>asdm image disk0:/asdm-634-53.bin</P><P>no asdm history enable</P></BODY></HTML> Fri, 29 Jul 2011 13:18:56 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702075#M534705 rmessina 2011-07-29T13:18:56Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702076#M534710 <HTML><HEAD></HEAD><BODY><P>Another idea:</P><P>Have you enabled icmp permissions on the outside interface?</P><P></P><P>ASA(config)# interf eth0/0</P><P>ASA(config-if)# i</P><P>ASA(config-if)# icmp ?</P><P></P><P>configure mode commands/options:</P><P>&nbsp; deny&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify packets to reject</P><P>&nbsp; permit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify packets to forward</P><P>&nbsp; unreachable&nbsp; Configure unreachable behavior</P></BODY></HTML> Fri, 29 Jul 2011 13:24:31 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702076#M534710 Tim Schneider 2011-07-29T13:24:31Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702077#M534712 <HTML><HEAD></HEAD><BODY><P>I tried 'icmp permit any outside' on eth0/0 with no success.&nbsp; It's really frustrating.. Thanks for the suggestions. </P></BODY></HTML> Fri, 29 Jul 2011 13:31:04 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702077#M534712 rmessina 2011-07-29T13:31:04Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702078#M534715 <HTML><HEAD></HEAD><BODY><P>I'm assuming you're trying to ping the outside interface over VPN?</P><P>Try deactivating Antispoofing - </P><P>no ip verify reverse-path interface outside</P></BODY></HTML> Fri, 29 Jul 2011 13:52:58 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702078#M534715 Tim Schneider 2011-07-29T13:52:58Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702079#M534716 <HTML><HEAD></HEAD><BODY><P>Just tried that still no luck.&nbsp; I'm trying to ping the outside interface IP address, not over the VPN tunnel.&nbsp; I can ping all the way to the last hop before my outside interface IP, and I see the ICMP drops in the syslog so I know that the firewall is dropping the ping.&nbsp; </P></BODY></HTML> Fri, 29 Jul 2011 13:57:18 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702079#M534716 rmessina 2011-07-29T13:57:18Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702080#M534719 <HTML><HEAD></HEAD><BODY><P>Randy, </P><P>Are you trying to ping the outside interface from the vpnclient server ( the headend device ) ?&nbsp; As far as I can think , there isn't any issue with ICMP allowed or inspect but since you are using this 5505 as an easy&nbsp; vpnclient it is assuming the traffic from the headend should be recieved with IPsec encryption and not unencrypted. </P><P>can you please check the settings on the Headend device if thats the case ?</P><P></P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 15:57:28 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702080#M534719 manish arora 2011-07-29T15:57:28Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702081#M534722 <HTML><HEAD></HEAD><BODY><P>No, I'm trying to ping from a server out on the interwebs... well i've tried pinging it from many locations honestly. </P></BODY></HTML> Fri, 29 Jul 2011 16:03:14 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702081#M534722 rmessina 2011-07-29T16:03:14Z https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702082#M534724 <HTML><HEAD></HEAD><BODY><P>Randy, </P><P>Can you please post out put of the following from this easy vpnclient asa ?</P><P>1&gt; sh crypto isakmp sa </P><P></P><P>2&gt; sh crypto ipsec sa </P><P></P><P>Then issue 10-20 pings to the asa :- </P><P></P><P>3&gt; sh crypto ipsec sa </P><P></P><P>Please when you are changing the ip's before posting , do like 1.1.1.1 = 1.x.x.1 , so that It's easier to understand the policies pushed by the headend to the client.</P><P></P><P>Thanks </P><P>Manish </P></BODY></HTML> Fri, 29 Jul 2011 16:21:47 GMT https://community.cisco.com/t5/network-security/allow-ping-to-outside-interface/m-p/1702082#M534724 manish arora 2011-07-29T16:21:47Z