https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646331#M564866 <HTML><HEAD></HEAD><BODY><P>You are not allowed to ping from the inside network the external interface of the ASA, you should be able to ping any other external IP but not the IP of another interface of the ASA, only the directly attached interface is able to respond to ping.</P><P></P><P>This is a limitation on the ASA</P></BODY></HTML> Mon, 28 Feb 2011 19:13:38 GMT PAUL GILBERT ARIAS 2011-02-28T19:13:38Z https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646329#M564864 <P>I am trying to ping 99.23.119.78 from inside our firewall and am receiving a request timeout. I receive a response from outside the firewall though.</P><P></P><P>Can someone help?</P><P></P><P>Thanks!</P><P></P><P>Here is my current config:</P><P>Result of the command: "show running-config"</P><P>: Saved<BR />:<BR />ASA Version 8.2(1) <BR />!<BR />hostname ciscoasa<BR />enable password qVQaNBP31RadYDLM encrypted<BR />passwd 2KFQnbNIdI.2KYOU encrypted<BR />names<BR />!<BR />interface Vlan1<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.1.1 255.255.255.0 <BR />!<BR />interface Vlan2<BR /> nameif ATT<BR /> security-level 0<BR /> pppoe client vpdn group ATT<BR /> ip address pppoe setroute <BR />!<BR />interface Ethernet0/0<BR /> switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR />!<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />ftp mode passive<BR />clock timezone EST -5<BR />clock summer-time EDT recurring<BR />same-security-traffic permit inter-interface<BR />object-group service DM_INLINE_TCP_1 tcp<BR /> port-object eq ftp<BR /> port-object eq ftp-data<BR /> port-object eq www<BR />access-list ATT_access_in remark Linkstation Access<BR />access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 <BR />access-list ATT_access_in remark Linkstation FTP<BR />access-list ATT_access_in extended permit tcp any interface ATT eq ftp <BR />access-list ATT_access_in remark Linkstation FTP-Data<BR />access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data <BR />access-list ATT_access_in remark Linkstation FTP HTTP Customer<BR />access-list ATT_access_in extended permit tcp any interface ATT eq www <BR />access-list ATT_access_in remark Linkstation Remote Admin<BR />access-list ATT_access_in extended permit tcp any host 99.23.119.73 eq www <BR />access-list ATT_access_in remark RealVNC<BR />access-list ATT_access_in extended permit tcp any interface ATT eq 5510 <BR />access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 29000 <BR />access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 39000 <BR />access-list ATT_access_in extended permit tcp any host 192.168.1.4 eq 5510 <BR />access-list ATT_access_in remark Linkstation Access<BR />access-list ATT_access_in remark Linkstation FTP<BR />access-list ATT_access_in remark Linkstation FTP-Data<BR />access-list ATT_access_in remark Linkstation FTP HTTP Customer<BR />access-list ATT_access_in remark Linkstation Remote Admin<BR />access-list ATT_access_in remark RealVNC<BR />access-list ATT_access_in remark Linkstation Access<BR />access-list ATT_access_in remark Linkstation FTP<BR />access-list ATT_access_in remark Linkstation FTP-Data<BR />access-list ATT_access_in remark Linkstation FTP HTTP Customer<BR />access-list ATT_access_in remark Linkstation Remote Admin<BR />access-list ATT_access_in remark RealVNC<BR />access-list ATT_access_in extended permit icmp any any echo <BR />access-list ATT_access_in extended permit icmp any any echo-reply <BR />access-list extended extended permit tcp any host 192.168.1.3 eq ftp <BR />access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data <BR />access-list extended extended permit tcp any host 192.168.1.3 eq www <BR />access-list extended extended permit tcp any host 99.23.119.73 eq 5900 <BR />access-list extended extended permit tcp any host 99.23.119.73 eq 5510 <BR />access-list extended extended permit tcp any host 99.23.119.73 eq 5511 <BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu inside 1500<BR />mtu ATT 1500<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />global (ATT) 1 interface<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface 29000 192.168.1.4 29000 netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface 39000 192.168.1.4 39000 netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface 5510 192.168.1.4 5510 netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface 5511 192.168.1.4 5511 netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255 <BR />static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255&nbsp; dns <BR />access-group ATT_access_in in interface ATT<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside<BR />http 0.0.0.0 0.0.0.0 ATT<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec security-association lifetime seconds 28800<BR />crypto ipsec security-association lifetime kilobytes 4608000<BR />telnet timeout 5<BR />ssh 0.0.0.0 0.0.0.0 ATT<BR />ssh timeout 5<BR />console timeout 0<BR />vpdn group ATT request dialout pppoe<BR />vpdn group ATT localname <A href="mailto:eossolutions@static.att.net" target="_blank">eossolutions@static.att.net</A><BR />vpdn group ATT ppp authentication pap<BR />vpdn username <A href="mailto:eossolutions@static.att.net" target="_blank">eossolutions@static.att.net</A> password ********* store-local<BR />dhcpd auto_config ATT<BR />!<BR />dhcpd address 192.168.1.5-192.168.1.132 inside<BR />dhcpd enable inside<BR />!</P><P>threat-detection basic-threat<BR />threat-detection statistics port<BR />threat-detection statistics protocol<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR />!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect esmtp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect skinny&nbsp; <BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect sip&nbsp; <BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />Cryptochecksum:bd6ede5c5400c2d1472282d3834f49f1<BR />: end</P> Mon, 11 Mar 2019 19:58:38 GMT https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646329#M564864 jill.kane 2019-03-11T19:58:38Z https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646330#M564865 <HTML><HEAD></HEAD><BODY><P><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace</A></P></BODY></HTML> Mon, 28 Feb 2011 19:10:57 GMT https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646330#M564865 Collin Clark 2011-02-28T19:10:57Z https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646331#M564866 <HTML><HEAD></HEAD><BODY><P>You are not allowed to ping from the inside network the external interface of the ASA, you should be able to ping any other external IP but not the IP of another interface of the ASA, only the directly attached interface is able to respond to ping.</P><P></P><P>This is a limitation on the ASA</P></BODY></HTML> Mon, 28 Feb 2011 19:13:38 GMT https://community.cisco.com/t5/network-security/cannot-ping-external-ip-from-inside-firewall/m-p/1646331#M564866 PAUL GILBERT ARIAS 2011-02-28T19:13:38Z