cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
2
Replies

ASA5505:unable to ping from sec level 100 to sec level 70

rakyomin78
Level 1
Level 1

I can establish FTP and HTTP connection from inside (sec level 100) to polling (sec level 70)

I attempted to enable icmp echo reply from pc to server.

Well I failed...packet tracer showed fine... all phases allowed... but my pc simply cannot get a ping reply from the server...

pc can ping to inside interface but cannot ping to polling interface...

btw... i have added a line in inspection_default

inspect icmp

i should be able to ping to lower sec level since icmp is inspected.. but still i cannot ping to server in sec level 70... what have i done wrong?

thanks.

1 Accepted Solution

Accepted Solutions

advijay
Level 1
Level 1

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

View solution in original post

2 Replies 2

advijay
Level 1
Level 1

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

Hi Adtiya,

I got it working and you are right

what i did not test is the echo using packet-tracer, when i tested the echo it was dropped by implicit deny from the inside.

Cyrus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: