Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2376
Views
5
Helpful
5
Replies

ASA 9.1(2) drops PING (icmp codes 0 & 8)

Go to solution
12oclock12
Level 1
Level 1

‎07-27-2015 06:57 AM - edited ‎03-11-2019 11:20 PM

Hi

 

Im trying to ping DMZ interface on ASA from INSIDE host and vise versa. It does not work :( Tried to debug icmp however the icmp packet did not even hit the DMZ interface from the particular host. Doing this with packet-tracer, ASA shows all results as ALLOW. Could one explain me how to permit a host placed in interface X to PING interface Y itself?

Thanks a lot beforehand!

 

NB

Attached is the packet-tracer result. What I'm trying to do is to ping DMZ interface (192.168.200.1) from INSIDE host (192.168.100.10).

Labels:
Preview file
5 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-27-2015 07:22 AM

Works as designed. The ASA doesn't support pinging a foreign Address. If your ping-host is on the inside interface, you only can ping the inside IP, if your ping-host is in the DMZ, you only can ping the DMZ-IP. The ASA handles this differently then a router.

The only exception is with the "management-access XXX" command when the ping comes through a tunnel.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 12oclock12

‎07-27-2015 07:48 AM

You should take the interface states from SNMP instead from pinging.

I don't think that twice-NAT is of much help here. And if it would be, your deployment would get more complex then needed.

If your system can't do anything other then ping, perhaps pinging a system connected to the other interface is of help? If that one responds, you know at least that the ASA interface has to be up. Well, that's not really a solution ... First try to make it work with SNMP.

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎07-27-2015 07:22 AM

Works as designed. The ASA doesn't support pinging a foreign Address. If your ping-host is on the inside interface, you only can ping the inside IP, if your ping-host is in the DMZ, you only can ping the DMZ-IP. The ASA handles this differently then a router.

The only exception is with the "management-access XXX" command when the ping comes through a tunnel.

0 Helpful

Go to solution
12oclock12
Level 1
Level 1
In response to Karsten Iwen

‎07-27-2015 07:34 AM

Thank you Karsten for your quick reply. Well, that is a pity though specially if you intend to use a DMZ "free linux systems" monitoring system checking interfaces via snmp however many of these systems need icmp interface check to see up/down state.

 

Perhaps I could try using twice-NAT? Or this won't even help me according to what you have said "FW ios design" ??

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 12oclock12

‎07-27-2015 07:48 AM

You should take the interface states from SNMP instead from pinging.

I don't think that twice-NAT is of much help here. And if it would be, your deployment would get more complex then needed.

If your system can't do anything other then ping, perhaps pinging a system connected to the other interface is of help? If that one responds, you know at least that the ASA interface has to be up. Well, that's not really a solution ... First try to make it work with SNMP.

Go to solution
12oclock12
Level 1
Level 1
In response to Karsten Iwen

‎07-27-2015 07:49 AM

Indeed. That's what I thought (snmp is working just fine). Will leave ICMP to hosts only behind interface respectively. Thanks a lot for your help! Appreciate it :)

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to 12oclock12

‎07-27-2015 07:56 AM

You are welcome! Come back to the Support-Community anytime again. ;-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card