cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


439
Views
0
Helpful
2
Replies
Beginner

ASA5505:unable to ping from sec level 100 to sec level 70

I can establish FTP and HTTP connection from inside (sec level 100) to polling (sec level 70)

I attempted to enable icmp echo reply from pc to server.

Well I failed...packet tracer showed fine... all phases allowed... but my pc simply cannot get a ping reply from the server...

pc can ping to inside interface but cannot ping to polling interface...

btw... i have added a line in inspection_default

inspect icmp

i should be able to ping to lower sec level since icmp is inspected.. but still i cannot ping to server in sec level 70... what have i done wrong?

thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

ASA5505:unable to ping from sec level 100 to sec level 70

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

View solution in original post

2 REPLIES 2
Beginner

ASA5505:unable to ping from sec level 100 to sec level 70

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

View solution in original post

Highlighted
Beginner

ASA5505:unable to ping from sec level 100 to sec level 70

Hi Adtiya,

I got it working and you are right

what i did not test is the echo using packet-tracer, when i tested the echo it was dropped by implicit deny from the inside.

Cyrus