https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477117#M681614 <HTML><HEAD></HEAD><BODY><P>If "icmp permit any outside" has been configured, you should be able to ping the ASA outside interface ip address. It doesn't sound like the ping packet is reaching the ASA interface. You can run packet capture on the ASA outside interface to see if the ping packet actually reaches the ASA outside interface.</P><P></P><P>access-list cap-out permit icmp any host 217.122.142.198</P><P>access-list cap-out permit icmp host 217.122.142.198 any</P><P>cap cap-out access-list cap-out interface outside</P><P></P><P>Try to ping, then check the output of: show cap cap-out</P><P></P><P>If you don't see anything, that means the ping does not even reach the ASA.</P></BODY></HTML> Tue, 04 May 2010 10:08:40 GMT Jennifer Halim 2010-05-04T10:08:40Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477112#M681609 <P>How i enable ping to public vpn ip.</P><P>for example my outside interface is 172.20.10.2 and my public profile vpn ip is 217.122.142.198, and i need to ping to this public ip from another network.</P> Mon, 11 Mar 2019 17:40:04 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477112#M681609 martimanya 2019-03-11T17:40:04Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477113#M681610 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If I understand correctly, your VPN client connects to 217.122.142.198, correct?</P><P>You need to PING that IP?</P><P></P><P>As you mentioned, I'm not able to PING that public IP either (from the Internet).</P><P>This could be because the VPN terminating end-point itself (ASA, IOS Router, etc) is not allowing PING replies.</P><P>Another reason is because there's another device in front blocking PINGs.</P><P></P><P>So, please clarify the following:</P><P>1. What device is the VPN endpoint?</P><P>2. Are there any other devices in front that might be blocking ICMP?</P><P></P><P>Federico.</P></BODY></HTML> Mon, 03 May 2010 15:47:51 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477113#M681610 Federico Coto Fajardo 2010-05-03T15:47:51Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477114#M681611 <HTML><HEAD></HEAD><BODY><P>Hi Federico,</P><P></P><P>1 - ASA is the device VPN Endpoint</P><P>2 - One router C2800 is in front of ASA but not blocks ICMP.</P><P></P><P>thanks</P></BODY></HTML> Tue, 04 May 2010 06:05:24 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477114#M681611 martimanya 2010-05-04T06:05:24Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477115#M681612 <HTML><HEAD></HEAD><BODY><P>You would need to check if you have an icmp statement on your ASA: sh run icmp</P><P></P><P>If you do, then you would need to permit icmp on the ASA outside interface if you are trying to ping 217.122.142.198. Assuming that the ASA outside ip is 217.122.142.198, then you would need to add:</P><P></P><P><STRONG>icmp permit any outside</STRONG></P></BODY></HTML> Tue, 04 May 2010 09:23:03 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477115#M681612 Jennifer Halim 2010-05-04T09:23:03Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477116#M681613 <HTML><HEAD></HEAD><BODY><P>Thanks Halijen,</P><P></P><P>but i had already added "icmp permit any OUTSIDE"</P></BODY></HTML> Tue, 04 May 2010 10:02:14 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477116#M681613 martimanya 2010-05-04T10:02:14Z https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477117#M681614 <HTML><HEAD></HEAD><BODY><P>If "icmp permit any outside" has been configured, you should be able to ping the ASA outside interface ip address. It doesn't sound like the ping packet is reaching the ASA interface. You can run packet capture on the ASA outside interface to see if the ping packet actually reaches the ASA outside interface.</P><P></P><P>access-list cap-out permit icmp any host 217.122.142.198</P><P>access-list cap-out permit icmp host 217.122.142.198 any</P><P>cap cap-out access-list cap-out interface outside</P><P></P><P>Try to ping, then check the output of: show cap cap-out</P><P></P><P>If you don't see anything, that means the ping does not even reach the ASA.</P></BODY></HTML> Tue, 04 May 2010 10:08:40 GMT https://community.cisco.com/t5/network-security/enable-ping-to-public-vpn-profile-ip/m-p/1477117#M681614 Jennifer Halim 2010-05-04T10:08:40Z