07-28-2011 02:43 PM - edited 03-11-2019 02:05 PM
How do I allow my outside interface to be pingable from the outside? I've tried configuring an access to allow icmp on the outside interface with no success. I'm still seeing the deny inbound icmp type 8 code 0 messages in the syslog. Thanks.
07-29-2011 06:52 AM
I'm assuming you're trying to ping the outside interface over VPN?
Try deactivating Antispoofing -
no ip verify reverse-path interface outside
07-29-2011 06:57 AM
Just tried that still no luck. I'm trying to ping the outside interface IP address, not over the VPN tunnel. I can ping all the way to the last hop before my outside interface IP, and I see the ICMP drops in the syslog so I know that the firewall is dropping the ping.
07-29-2011 08:57 AM
Randy,
Are you trying to ping the outside interface from the vpnclient server ( the headend device ) ? As far as I can think , there isn't any issue with ICMP allowed or inspect but since you are using this 5505 as an easy vpnclient it is assuming the traffic from the headend should be recieved with IPsec encryption and not unencrypted.
can you please check the settings on the Headend device if thats the case ?
Manish
07-29-2011 09:03 AM
No, I'm trying to ping from a server out on the interwebs... well i've tried pinging it from many locations honestly.
07-29-2011 09:21 AM
Randy,
Can you please post out put of the following from this easy vpnclient asa ?
1> sh crypto isakmp sa
2> sh crypto ipsec sa
Then issue 10-20 pings to the asa :-
3> sh crypto ipsec sa
Please when you are changing the ip's before posting , do like 1.1.1.1 = 1.x.x.1 , so that It's easier to understand the policies pushed by the headend to the client.
Thanks
Manish
07-30-2011 12:28 PM
Have you verified connectivity? Possibly an ARP problem on your upstream router. Log into the router and do a...
Show ARP
and verify the output IP of the outside ASA matches the MAC address of the outside interface on the ASA.
icmp permit any outside
That should be all that is necessary to ping the firewall's outside interface from another host on the internet. Another way of accomplishing this that I prefer is icmp inspects.
access-list ICMP ext permit icmp any any
!
class-map ICMP-CMAP
match access-list ICMP
!
policy-map global_policy
class ICMP-CMAP
inspect icmp
!
06-20-2018 12:26 PM
7 years late but my thinking is that on the VPN head end firewall he had it configured to tunnel all traffic back and not split it out, therefore any replies to pings on the Outside interface would try to go via the tunnel.
This was a VPNClient configuration on his ASA rather than site to site, so there was no interesting traffic ACL, it's all controlled on the head end firewall.
For anyone like me that bothered to read through the thread until the end at least it gives some closure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide