04-24-2008 10:08 AM - edited 03-11-2019 05:36 AM
I am configuring an ASA, but I have no respond when I try to ping to any outside IP address. I have already checked the commands related to ICMP and I have already set those commands.
Is something left still ??? this is the sh run file.....
ciscoasa# sh run
: Saved
:
ASA Version 7.2(3)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ipv6 enable
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Vlan3
nameif DMZ
security-level 50
ip address 10.10.1.1 255.255.255.0
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd xxx
ftp mode passive
access-list ICMPACL extended permit icmp any any
access-list DMZ extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ipv6 icmp permit any DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group ICMPACL in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 202.38.193.226 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname f55xxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username f5512345678 password *********
dhcpd dns 240.x.x.201 200.331.146.193
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
class-map ICMP-CLASS
match access-list ICMPACL
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
04-24-2008 11:57 AM
to have outside interface respond to ICMP
from the outside add this statement.
asa(config)#no icmp deny any outside
to have outside not respond to ICMP from outside place argument back
asa(config)#icmp deny any outside
Let me know how it goes.
Rgds
Jorge
04-24-2008 01:25 PM
hi Jorge
thanks for your comments..
I have already test that command but it did not worked. I have still the problem of not
having respond when I ping from inside to any outside ip address (public IP addresss)
any other suggestion??
04-24-2008 05:20 PM
Francisco, I had understood you were trying to ping the outside interface of firewall from outside, you now indicate you are trying to ping from inside to an outside public IP address if this is the case the process is completely different.
ping from inside outbound you would need and access list like this and apply to outside interface.
I quote from link
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
it is also recommended to have inspect icmp
which you already have in your config.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
try the above and let us know the results.
04-26-2008 06:58 AM
Hello Gorge
thank you for your support, but the problem was the version of the handle, I made the update and everything worked.
Anyway thank you very much, we are in contact cuidate goodbye.
04-25-2008 12:06 PM
Hi,
Also, keep in mind this restriction:
-You can ping the inside interface ip from an inside host.
-You can ping the outside interface ip from an outside host.
-You can NOT ping the outside interface ip from an inside host.
Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging.
Hope that helps!
-Brian
04-26-2008 06:50 AM
Hello Brian
thanks for your help
already solved my problem, the problem is the version of the asa.
thank you very much beforehand cuidate goodbye.
04-26-2008 01:42 PM
Brian,
Can you tell me to what version did you upgrade i too have the same problem.
Regards
Krissh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide