Showing results for 
Search instead for 
Did you mean: 


ASA ping issue

 I am having trouble pinging from one zone to another

Zone - Management can not ping Zone-Inside and visa versa. At first I was able to ping the managment pc but couldnt ping the inside pc. I have played around with the service policy and ACL but no luck. Any help would be apprectiated

hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0
 nameif management
 security-level 100
 ip address
interface GigabitEthernet1
 nameif INSIDE
 security-level 100
 ip address
interface GigabitEthernet2
 nameif OUTSIDE
 security-level 0
 ip address
interface GigabitEthernet3
 nameif DMZ
 security-level 50
 ip address
interface GigabitEthernet4
 no nameif
 no security-level
 no ip address
interface GigabitEthernet5
 no nameif
 no security-level
 no ip address
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Network
object network test
object network ASA-Gateway
object network Management-Gateway
object-group icmp-type SG-ICMP
 icmp-object echo
 icmp-object echo-reply
access-list LAN-WAN-FTP extended permit tcp any any eq ftp
access-list management_access_in extended permit tcp any                                                                                         eq telnet
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
access-group management_access_in in interface management
route OUTSIDE 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
class-map global-class
 match any
policy-map global-policy
 class global-class
  inspect icmp
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http                                                                                        CEService
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily


Marvin Rhoads
VIP Community Legend

You have applied the access-list:

access-list management_access_in extended permit tcp any eq telnet

...on your management interface. That will prohibit other traffic from being originated on hosts connected via that interface.

You can check the flow through the ASA for a given protocol source destination address etc using packet-tracer cli utility. It will highlight what step is failing in establishing the flow. See this link for reference.

I agree with Marvin's observation about your ACL. That's the most obvious thing to change because it affects the ASA's default behavior which is to allow traffic through the ASA if it's going out an interface with a lower security level, and let the stateful return traffic back in that interface. In fact, since your ACL is allowing Telnet through to go out the outside interface (which has the lowest security level), the default behavior (no ACL required) would already allow that, and the ACL you have in place is only necessary if your intent is to restrict Telnet to only the subnet and no other addresses.

Regarding your change to the service policies, I would suggest that unless you have good reason to, removing the standard inspections is probably not a good idea. They are there by default for a reason. Adding ICMP to the list is fine, and something I've done frequently, but without good reason otherwise, I would add the other default protocols back in.

Hope you're well, Marvin!


Thanks for the relpy

I have added the ACL, I am able to ping the managment pc from the network but no the other way around. I have also added an ACL for that


ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list LAN-WAN-FTP; 1 elements; name hash: 0x91ef8aeb
access-list LAN-WAN-FTP line 1 extended permit tcp any any eq ftp (hitcnt=0) 0x194240d3
access-list management_access_in; 3 elements; name hash: 0x4814da18
access-list management_access_in line 1 extended permit tcp any eq telnet (hitcnt=0) 0x22c167b0
access-list management_access_in line 2 extended permit tcp eq echo (hitcnt=0) 0x9bdc8461
access-list management_access_in line 3 extended permit tcp eq echo (hitcnt=0) 0x41a939ad

Even though I am able to ping that pc I dont see the number on the hit count changing

"ping" does not use tcp (or run over ip) - it uses icmp (a protocol "parallel" to ip) - so your access-list entries for tcp with the echo service are incorrect.

And hi to John - doing OK thanks!

Recognize Your Peers
Content for Community-Ad