Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20473
Views
5
Helpful
21
Replies

Allow ping to outside interface

rmessina
Level 1
Level 1

‎07-28-2011 02:43 PM - edited ‎03-11-2019 02:05 PM

How do I allow my outside interface to be pingable from the outside? I've tried configuring an access to allow icmp on the outside interface with no success. I'm still seeing the deny inbound icmp type 8 code 0 messages in the syslog.  Thanks.

Labels:
0 Helpful
21 Replies 21

Tim Schneider
Level 1
Level 1
In response to rmessina

‎07-29-2011 06:52 AM

I'm assuming you're trying to ping the outside interface over VPN?

Try deactivating Antispoofing -

no ip verify reverse-path interface outside

0 Helpful

rmessina
Level 1
Level 1
In response to Tim Schneider

‎07-29-2011 06:57 AM

Just tried that still no luck.  I'm trying to ping the outside interface IP address, not over the VPN tunnel.  I can ping all the way to the last hop before my outside interface IP, and I see the ICMP drops in the syslog so I know that the firewall is dropping the ping. 

0 Helpful

manish arora
Level 6
Level 6
In response to rmessina

‎07-29-2011 08:57 AM

Randy,

Are you trying to ping the outside interface from the vpnclient server ( the headend device ) ?  As far as I can think , there isn't any issue with ICMP allowed or inspect but since you are using this 5505 as an easy  vpnclient it is assuming the traffic from the headend should be recieved with IPsec encryption and not unencrypted.

can you please check the settings on the Headend device if thats the case ?

Manish

0 Helpful

rmessina
Level 1
Level 1
In response to manish arora

‎07-29-2011 09:03 AM

No, I'm trying to ping from a server out on the interwebs... well i've tried pinging it from many locations honestly.

0 Helpful

manish arora
Level 6
Level 6
In response to rmessina

‎07-29-2011 09:21 AM

Randy,

Can you please post out put of the following from this easy vpnclient asa ?

1> sh crypto isakmp sa

2> sh crypto ipsec sa

Then issue 10-20 pings to the asa :-

3> sh crypto ipsec sa

Please when you are changing the ip's before posting , do like 1.1.1.1 = 1.x.x.1 , so that It's easier to understand the policies pushed by the headend to the client.

Thanks

Manish

0 Helpful

clooney
Level 4
Level 4
In response to manish arora

‎07-30-2011 12:28 PM

Have you verified connectivity?  Possibly an ARP problem on your upstream router.  Log into the router and do a...

Show ARP

and verify the output IP of the outside ASA matches the MAC address of the outside interface on the ASA.

icmp permit any outside

That should be all that is necessary to ping the firewall's outside interface from another host on the internet.  Another way of accomplishing this that I prefer is icmp inspects.

access-list ICMP ext permit icmp any any

!

class-map ICMP-CMAP

match access-list ICMP

!

policy-map global_policy

class ICMP-CMAP

  inspect icmp

!

0 Helpful

mlewis756494
Level 1
Level 1
In response to clooney

‎06-20-2018 12:26 PM

7 years late but my thinking is that on the VPN head end firewall he had it configured to tunnel all traffic back and not split it out, therefore any replies to pings on the Outside interface would try to go via the tunnel.

 

This was a VPNClient configuration on his ASA rather than site to site, so there was no interesting traffic ACL, it's all controlled on the head end firewall.

 

For anyone like me that bothered to read through the thread until the end at least it gives some closure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card