Showing results for 
Search instead for 
Did you mean: 


ASA 5505 - ICMP not responding

I am configuring an ASA, but I have no respond when I try to ping to any outside IP address. I have already checked the commands related to ICMP and I have already set those commands.

Is something left still ??? this is the sh run file.....

ciscoasa# sh run

: Saved


ASA Version 7.2(3)




interface Vlan1

nameif inside

security-level 100

ip address

ipv6 enable


interface Vlan2

nameif outside

security-level 0

ip address pppoe setroute


interface Vlan3

nameif DMZ

security-level 50

ip address

ipv6 enable


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2

switchport access vlan 3


interface Ethernet0/3



interface Ethernet0/4



interface Ethernet0/5



interface Ethernet0/6



interface Ethernet0/7



passwd xxx

ftp mode passive

access-list ICMPACL extended permit icmp any any

access-list DMZ extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ipv6 icmp permit any DMZ

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

nat (DMZ) 1

access-group ICMPACL in interface outside

access-group DMZ in interface DMZ

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname f55xxxxxxxx

vpdn group pppoe_group ppp authentication pap

vpdn username f5512345678 password *********

dhcpd dns 240.x.x.201 200.331.146.193


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic

class-map ICMP-CLASS

match access-list ICMPACL



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map ICMP-POLICY


inspect icmp


service-policy global_policy global

prompt hostname context


: end


to have outside interface respond to ICMP

from the outside add this statement.

asa(config)#no icmp deny any outside

to have outside not respond to ICMP from outside place argument back

asa(config)#icmp deny any outside

Let me know how it goes.



Jorge Rodriguez

hi Jorge

thanks for your comments..

I have already test that command but it did not worked. I have still the problem of not

having respond when I ping from inside to any outside ip address (public IP addresss)

any other suggestion??

Francisco, I had understood you were trying to ping the outside interface of firewall from outside, you now indicate you are trying to ping from inside to an outside public IP address if this is the case the process is completely different.

ping from inside outbound you would need and access list like this and apply to outside interface.

I quote from link

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

it is also recommended to have inspect icmp

which you already have in your config.

try the above and let us know the results.

Jorge Rodriguez

Hello Gorge

thank you for your support, but the problem was the version of the handle, I made the update and everything worked.

Anyway thank you very much, we are in contact cuidate goodbye.

Brian Conklin


Also, keep in mind this restriction:

-You can ping the inside interface ip from an inside host.

-You can ping the outside interface ip from an outside host.

-You can NOT ping the outside interface ip from an inside host.

Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging.

Hope that helps!


Hello Brian

thanks for your help

already solved my problem, the problem is the version of the asa.

thank you very much beforehand cuidate goodbye.


Can you tell me to what version did you upgrade i too have the same problem.