Re: ASA 5505: unable to ping external hosts from LAN

augnevenok · ‎06-19-2007

Hi,

I have a LAN behind ASA 5505, interface NAT/PAT is configured.

External interface is configured for PPPoE.

Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:

icmp permit any inside

icmp permit any outside

access-list outside_access_in extended permit icmp any any

Protocol inspections and fixups are default.

When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:

302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session

313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside

302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

Where 202.xx.yy.zz is IP of external interface of ASA.

This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?

Any help will be highly appreciated.

Thank you.

Alex

wong34539 · ‎06-25-2007

The channel is a point-to-point link. There is no defined interface to which to send the ping packet. Therefore, there is no way to wrap the packet back to the interface and respond to the ping.