Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2271
Views
0
Helpful
8
Replies

ASA Outside Interface Ping not working ...

Jim R
Level 1
Level 1

‎02-21-2016 01:14 PM - edited ‎03-12-2019 12:22 AM

Hi all,

Not entirely convinced that I've not missed something very simple along the way but am looking for some help. Essentially I can't ping the outside interface of my ASA from another network several hops away.  However I can ping devices on the 'inside' interface.  I am guessing this some sort of ICMP policy stopping this or perhaps just the default behaviour of the ASA but I'm not sure what I've missed.  I am running version 9.4.

Topology is as follows:

192.168.1.0 - Inside

192.168.10.0 - Outside

|

MPLS Network

|

192.168.20.0 - Remote site

Access lists as follows:

outside_out extended permit icmp any any object-group networksvc-ping

outside_in extended permit icmp any any object-group networksvc-ping 

inside_outextended permit icmp any any object-group networksvc-ping

inside_in extended permit icmp any any object-group networksvc-ping 

Applied to:

access-group outside_in in interface Outside
access-group outside_out out interface Outside
access-group inside_in in interface inside
access-group inside_out out interface inside

Also policy-maps:

policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options

Single default route via the inside.  Couple of statics pointing to internal networks behind the inside interface.  All inside interface IPs can be pinged.  However from the outside I cannot ping the outside interface.  Any ideas/thoughts? Can see nothing on the logs or via debug ICMP which makes me think its some sort of default behaviour that drops this traffic automatically.  No nat if configured.

Thanks in advance, happy to post more config if needed.

Many thanks,

Labels:
0 Helpful
8 Replies 8

Jim R
Level 1
Level 1

‎02-21-2016 01:15 PM

FYI networksvc-grp is as follows:

object-group icmp-type networksvc-ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object source-quench
 icmp-object unreachable

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jim R

‎02-21-2016 01:42 PM

Where is the PC located that you are pinging from?  Is the outside interface the ingress interface for the ICMP packets?  You may already know, but you can not ping an interface that is not the ingress interface on the ASA.

If this is not the case, try adding the command icmp permit any outside.

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jim R
Level 1
Level 1
In response to Marius Gunnerud

‎02-21-2016 02:34 PM

Hi Maria

The PC is on the outside so the packet would be inbound on the outside interface. I did try the command you discussed previously but with no success.  Thanks for taking the time to reply though

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jim R

‎02-21-2016 02:37 PM

If you put a laptop on the same network as the outside interface, are you then able to ping the outside IP of the ASA?

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jim R
Level 1
Level 1
In response to Marius Gunnerud

‎02-22-2016 01:40 PM

I'm not physically able to get near the device to try this at the moment Marius, however I will give this a go (I am reasonably sure this has worked in the past though as I think we tested this during deployment)

Cheer,

J

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jim R

‎02-22-2016 01:54 PM

Another thing to check is if the ASA has a route back to the network you are pinging from.

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Florin Barhala
Level 6
Level 6

‎02-22-2016 01:22 PM

I'm pretty sure you just messed the 4 ACLs you're using on in/out for the two interfaces.

I suggest you use the now classic in direction for each of the two interfaces and so you get rid of two additional ACLs. Then carefully review the rest of applied ACLs.

If you still have issues run clear configure access-group and test again.

0 Helpful

Jim R
Level 1
Level 1
In response to Florin Barhala

‎02-22-2016 01:39 PM

Hi Florin,

Originally the configuration had the traditional 'in' rules only.  The outbound rules were added to see if they made any difference which they didn't.  I've had it set where we have allowed ICMP in on both in the inside and outside interfaces yet still no dice.

Thanks for your input though. 

J

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card