Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
0
Helpful
4
Replies

ASA (ver 9.1) Cannot Ping One Website

Go to solution
robert.russom
Level 1
Level 1

‎05-20-2015 08:11 AM - edited ‎03-11-2019 10:58 PM

One of our users reported not being able to reach a hosting site for of their organization's websites - Modwest.com

I can reach it from our external DNS server and from our internet router, but the ASA returns ????? when pinging. There's no ACL blocking their address, and in fact there's nothing in the ASA even close to Modwest's IP. No NAT, no objects, no nothing.

Just as a test, I created ACLs to permit traffic to and from Modwest and added a static route to our outside interface. Still ????? when pinging.

I'm not sure what else to check.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to robert.russom

‎05-20-2015 08:48 AM

Hi,

I don't see any issues trying toi ping this IP.

Do you have any usable Public IP that you can use to NAT a PC behind the ASA device to other than the interface IP and then try to ping the Website. If that works , it means that ASA device interface IP is being blacklisted or blocked on the Web site.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-20-2015 08:26 AM

Hi,

This is traffic initiated from the ASA device. There will be no configuration on the ASA device that should be blocking the traffic other than the "icmp" command on the ASA device.

Have you tried to verify pinging the IP address for the Web site instead ? Verify the resolved IP address for the Website.

I don't think this might be an issue with the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
robert.russom
Level 1
Level 1
In response to Vibhor Amrodia

‎05-20-2015 08:41 AM

Thanks Vibhor.

The ASA also returns ????? when pinging the IP (204.11.247.3) of the site.

Resolved address is correct. 

I can ping sites like Google, etc from ASA.

We block no traffic out.

Ping from my desktop -> Core Sw (sends traffic to ASA) -> ASA (cannot ping) -> Internet rtr (can ping)

 

Like I said, I don't see anything in the ASA that would block it either, but I'm at a loss as to what is doing it, though.

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to robert.russom

‎05-20-2015 08:48 AM

Hi,

I don't see any issues trying toi ping this IP.

Do you have any usable Public IP that you can use to NAT a PC behind the ASA device to other than the interface IP and then try to ping the Website. If that works , it means that ASA device interface IP is being blacklisted or blocked on the Web site.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
robert.russom
Level 1
Level 1
In response to Vibhor Amrodia

‎05-20-2015 09:18 AM

Blacklisted!

 

Should have know. Thanks again Vibhor for pointing me in the right direction!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card