02-21-2016 01:14 PM - edited 03-12-2019 12:22 AM
Hi all,
Not entirely convinced that I've not missed something very simple along the way but am looking for some help. Essentially I can't ping the outside interface of my ASA from another network several hops away. However I can ping devices on the 'inside' interface. I am guessing this some sort of ICMP policy stopping this or perhaps just the default behaviour of the ASA but I'm not sure what I've missed. I am running version 9.4.
Topology is as follows:
192.168.1.0 - Inside
192.168.10.0 - Outside
|
MPLS Network
|
192.168.20.0 - Remote site
Access lists as follows:
outside_out extended permit icmp any any object-group networksvc-ping
outside_in extended permit icmp any any object-group networksvc-ping
inside_outextended permit icmp any any object-group networksvc-ping
inside_in extended permit icmp any any object-group networksvc-ping
Applied to:
access-group outside_in in interface Outside
access-group outside_out out interface Outside
access-group inside_in in interface inside 
access-group inside_out out interface inside
Also policy-maps:
policy-map icmp_policy
 class icmp-class
  inspect icmp 
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options
Single default route via the inside. Couple of statics pointing to internal networks behind the inside interface. All inside interface IPs can be pinged. However from the outside I cannot ping the outside interface. Any ideas/thoughts? Can see nothing on the logs or via debug ICMP which makes me think its some sort of default behaviour that drops this traffic automatically. No nat if configured.
Thanks in advance, happy to post more config if needed.
Many thanks,
02-21-2016 01:15 PM
FYI networksvc-grp is as follows:
object-group icmp-type networksvc-ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object source-quench
 icmp-object unreachable
02-21-2016 01:42 PM
Where is the PC located that you are pinging from? Is the outside interface the ingress interface for the ICMP packets? You may already know, but you can not ping an interface that is not the ingress interface on the ASA.
If this is not the case, try adding the command icmp permit any outside.
--
Please select a correct answer and rate helpful posts
02-21-2016 02:34 PM
Hi Maria
The PC is on the outside so the packet would be inbound on the outside interface. I did try the command you discussed previously but with no success. Thanks for taking the time to reply though
02-21-2016 02:37 PM
If you put a laptop on the same network as the outside interface, are you then able to ping the outside IP of the ASA?
--
Please select a correct answer and rate helpful posts
02-22-2016 01:40 PM
I'm not physically able to get near the device to try this at the moment Marius, however I will give this a go (I am reasonably sure this has worked in the past though as I think we tested this during deployment)
Cheer,
J
02-22-2016 01:54 PM
Another thing to check is if the ASA has a route back to the network you are pinging from.
--
Please select a correct answer and rate helpful posts
 
					
				
		
02-22-2016 01:22 PM
I'm pretty sure you just messed the 4 ACLs you're using on in/out for the two interfaces.
I suggest you use the now classic in direction for each of the two interfaces and so you get rid of two additional ACLs. Then carefully review the rest of applied ACLs.
If you still have issues run clear configure access-group and test again.
02-22-2016 01:39 PM
Hi Florin,
Originally the configuration had the traditional 'in' rules only. The outbound rules were added to see if they made any difference which they didn't. I've had it set where we have allowed ICMP in on both in the inside and outside interfaces yet still no dice.
Thanks for your input though.
J
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide