I am configuring an ASA, but I have no respond when I try to ping to any outside IP address. I have already checked the commands related to ICMP and I have already set those commands.
Is something left still ??? this is the sh run file.....
ciscoasa# sh run
ASA Version 7.2(3)
ip address 192.168.1.1 255.255.255.0
ip address pppoe setroute
ip address 10.10.1.1 255.255.255.0
switchport access vlan 2
switchport access vlan 3
ftp mode passive
access-list ICMPACL extended permit icmp any any
access-list DMZ extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ipv6 icmp permit any DMZ
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group ICMPACL in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname f55xxxxxxxx
vpdn group pppoe_group ppp authentication pap
vpdn username f5512345678 password *********
dhcpd dns 240.x.x.201 200.331.146.193
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
match access-list ICMPACL
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
to have outside interface respond to ICMP
from the outside add this statement.
asa(config)#no icmp deny any outside
to have outside not respond to ICMP from outside place argument back
asa(config)#icmp deny any outside
Let me know how it goes.
thanks for your comments..
I have already test that command but it did not worked. I have still the problem of not
having respond when I ping from inside to any outside ip address (public IP addresss)
any other suggestion??
Francisco, I had understood you were trying to ping the outside interface of firewall from outside, you now indicate you are trying to ping from inside to an outside public IP address if this is the case the process is completely different.
ping from inside outbound you would need and access list like this and apply to outside interface.
I quote from link
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
it is also recommended to have inspect icmp
which you already have in your config.
try the above and let us know the results.
thank you for your support, but the problem was the version of the handle, I made the update and everything worked.
Anyway thank you very much, we are in contact cuidate goodbye.
Also, keep in mind this restriction:
-You can ping the inside interface ip from an inside host.
-You can ping the outside interface ip from an outside host.
-You can NOT ping the outside interface ip from an inside host.
Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging.
Hope that helps!
thanks for your help
already solved my problem, the problem is the version of the asa.
thank you very much beforehand cuidate goodbye.