Re: ASA 5505 - ICMP not responding

francisco.delgado · ‎04-24-2008

I am configuring an ASA, but I have no respond when I try to ping to any outside IP address. I have already checked the commands related to ICMP and I have already set those commands.

Is something left still ??? this is the sh run file.....

ciscoasa# sh run

: Saved

:

ASA Version 7.2(3)

!

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ipv6 enable

!

interface Vlan2

nameif outside

security-level 0

ip address pppoe setroute

!

interface Vlan3

nameif DMZ

security-level 50

ip address 10.10.1.1 255.255.255.0

ipv6 enable

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd xxx

ftp mode passive

access-list ICMPACL extended permit icmp any any

access-list DMZ extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ipv6 icmp permit any DMZ

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-group ICMPACL in interface outside

access-group DMZ in interface DMZ

route outside 0.0.0.0 0.0.0.0 202.38.193.226 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname f55xxxxxxxx

vpdn group pppoe_group ppp authentication pap

vpdn username f5512345678 password *********

dhcpd dns 240.x.x.201 200.331.146.193

!

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

class-map ICMP-CLASS

match access-list ICMPACL

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map ICMP-POLICY

class ICMP-CLASS

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

JORGE RODRIGUEZ · ‎04-24-2008

to have outside interface respond to ICMP

from the outside add this statement.

asa(config)#no icmp deny any outside

to have outside not respond to ICMP from outside place argument back

asa(config)#icmp deny any outside

Let me know how it goes.

Rgds

Jorge

Jorge Rodriguez

francisco.delgado · ‎04-24-2008

hi Jorge

thanks for your comments..

I have already test that command but it did not worked. I have still the problem of not

having respond when I ping from inside to any outside ip address (public IP addresss)

any other suggestion??

JORGE RODRIGUEZ · ‎04-24-2008

Francisco, I had understood you were trying to ping the outside interface of firewall from outside, you now indicate you are trying to ping from inside to an outside public IP address if this is the case the process is completely different.

ping from inside outbound you would need and access list like this and apply to outside interface.

I quote from link

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

it is also recommended to have inspect icmp

which you already have in your config.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

try the above and let us know the results.

Jorge Rodriguez

francisco.delgado · ‎04-26-2008

Hello Gorge

thank you for your support, but the problem was the version of the handle, I made the update and everything worked.

Anyway thank you very much, we are in contact cuidate goodbye.

Brian Conklin · ‎04-25-2008

Hi,

Also, keep in mind this restriction:

-You can ping the inside interface ip from an inside host.

-You can ping the outside interface ip from an outside host.

-You can NOT ping the outside interface ip from an inside host.

Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging.

Hope that helps!

-Brian

francisco.delgado · ‎04-26-2008

Hello Brian

thanks for your help

already solved my problem, the problem is the version of the asa.

thank you very much beforehand cuidate goodbye.

AGINetworkGroup · ‎04-26-2008

Brian,

Can you tell me to what version did you upgrade i too have the same problem.

Regards

Krissh