cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3991
Views
0
Helpful
2
Replies

ASA How to allow ping (any icmp) from inside to IP of external interface?

lonelyadmin
Level 1
Level 1

 

ASA 9.12(2) 5516-X

Device 7.12(2)

 

I just want to be able to ping the IP addresses assigned to my external interfaces. Each outside interface is a /29 subnet with an IP and a gateway in that subnet. I can ping the gateway IPs from inside, but not the IP of the interface itself.  Each one of the gateway IP addresses is in the routing table as they all have "route outside-intx 0.0.0.0 0.0.0.0 $gateway_ip" entries with different metrics or policy maps to guide traffic. When I run a packet tracer for ping or ICMP from inside to any outside interface IP I get no route found, which is true. There is no route to that /29 subnet applied to the external interface, there is only a static route created that I just mentioned earlier.....and you can't apply a netmask to that. Seems like this should be easy, so I'm likely just missing something (obviously).

 

I do have ICMP inspection on and allow ICMP to the external interfaces from "any" (yes, the evil Internet can ping my firewall).

 

So how can I allow ICMP traffic from my inside (sec level 100) to the IP addresses assigned to my outside interfaces (sec level 0)?

 

Just to be clear, it's multi-WAN setup with multiple external interfaces.

 

 

1 Accepted Solution

Accepted Solutions

Hi,

You cannot, that's by design. The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface. Reference here.

 

HTH

View solution in original post

2 Replies 2

Hi,

You cannot, that's by design. The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface. Reference here.

 

HTH

Hrm....well ok then. Good to know. I guess the key there is "The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.", I just don't really understand why it's not configurable. If I want to shoot myself in the foot, it should allow me to. I can do this with almost any other firewall.

 

As this is primarily for monitoring I've just setup my monitor box IP (on the inside int) to NAT out using an IP that is on the corresponding outside interface that the ASA won't let me ping. I'm doing some other rudimentary SNMP interace checks to that should suffice.

Review Cisco Networking for a $25 gift card