https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049181#M878752 <HTML><HEAD></HEAD><BODY><P>I just ran a packet capture, results:</P><P></P><P>RESULTS - The packet is dropped</P><P>Info : (rpf violated) Reverse-path verify failed</P><P></P><P>I tried to remove the following but still unable to ping:</P><P></P><P>ip verify reverse-path interface Outside</P><P>ip verify reverse-path interface Inside </P><P></P><P></P></BODY></HTML> Tue, 16 Dec 2008 16:46:48 GMT ronshuster 2008-12-16T16:46:48Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049178#M878749 <P>I am trying to get a few workstations to ping and traceroute to the Internet via an ASA5520. I have a permit ip any any for all incoming traffic hitting the inside interface and still unable to ping\traceroute the Internet.</P><P></P><P>any idea?</P> Mon, 11 Mar 2019 14:26:39 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049178#M878749 ronshuster 2019-03-11T14:26:39Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049179#M878750 <HTML><HEAD></HEAD><BODY><P>Roni,</P><P></P><P>It is hard to say what is wrong without the configuration. Have you already configured the NAT, ACL, etc and also you mention few clients, does this mean the other workstations are working. I hope the below URL helps:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P></BODY></HTML> Tue, 16 Dec 2008 16:15:53 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049179#M878750 ajagadee 2008-12-16T16:15:53Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049180#M878751 <HTML><HEAD></HEAD><BODY><P>Our internet access works perfectly ok from a NAT &amp; PAT &amp; ACL stand point... only thing is that we cannot ping &amp; traceroute to the Internet.</P><P></P><P>I have a permit ip any any on all traffic incoming the INSIDE interface. Is that sufficient or do I need to apply the following as well:</P><P></P><P>access-list 101 permit icmp any any echo-reply</P><P>access-list 101 permit icmp any any source-quench </P><P>access-list 101 permit icmp any any unreachable </P><P>access-list 101 permit icmp any any time-exceeded</P><P></P></BODY></HTML> Tue, 16 Dec 2008 16:23:39 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049180#M878751 ronshuster 2008-12-16T16:23:39Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049181#M878752 <HTML><HEAD></HEAD><BODY><P>I just ran a packet capture, results:</P><P></P><P>RESULTS - The packet is dropped</P><P>Info : (rpf violated) Reverse-path verify failed</P><P></P><P>I tried to remove the following but still unable to ping:</P><P></P><P>ip verify reverse-path interface Outside</P><P>ip verify reverse-path interface Inside </P><P></P><P></P></BODY></HTML> Tue, 16 Dec 2008 16:46:48 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049181#M878752 ronshuster 2008-12-16T16:46:48Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049182#M878753 <HTML><HEAD></HEAD><BODY><P>If you're using the asa, you also need to configure the ICMP inspection using the icmp permit command set;</P><P></P><P>e.g. </P><P>icmp permit any inside</P><P>icmp permit echo-reply outside</P><P>icmp permit unreachable outside</P><P>icmp permit traceroute outside</P><P></P><P>HTH</P><P></P><P>P-J Nefkens</P><P></P><P></P></BODY></HTML> Tue, 16 Dec 2008 21:08:27 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049182#M878753 nefkensp 2008-12-16T21:08:27Z https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049183#M878754 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The above lines need to be applied on the outside interface. </P><P></P><P>access-list 101 permit icmp any any echo-reply</P><P>access-list 101 permit icmp any any source-quench</P><P>access-list 101 permit icmp any any unreachable</P><P>access-list 101 permit icmp any any time-exceeded </P><P></P><P>access-group 101 in interface outside</P><P></P><P>OR</P><P></P><P>The other option is to enable inspection:</P><P></P><P>For example:</P><P></P><P> policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P></P><P>Please refer the below URL for details:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P><P></P></BODY></HTML> Tue, 16 Dec 2008 22:23:44 GMT https://community.cisco.com/t5/network-security/ping-tracerout-through-firewall/m-p/1049183#M878754 ajagadee 2008-12-16T22:23:44Z