Solved: ASA5505:unable to ping from sec level 100 to sec level 70

rakyomin78 · ‎06-26-2011

I can establish FTP and HTTP connection from inside (sec level 100) to polling (sec level 70)

I attempted to enable icmp echo reply from pc to server.

Well I failed...packet tracer showed fine... all phases allowed... but my pc simply cannot get a ping reply from the server...

pc can ping to inside interface but cannot ping to polling interface...

btw... i have added a line in inspection_default

inspect icmp

i should be able to ping to lower sec level since icmp is inspected.. but still i cannot ping to server in sec level 70... what have i done wrong?

thanks.

advijay · ‎06-26-2011

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

View solution in original post

advijay · ‎06-26-2011

Hey,

From the configuration attached, I observed on the inside interface, you have applied access list "test" in the in-bound direction. "test" access list will allow TCP and UDP for object group servers along with ICMP for object group ping-reply (which has no icmp-object to allow "echo" icmp-object).

Add a icmp-object echo in the object-group icmp-type and test.

Hope this helps.

Regards,

Adtiya

rakyomin78 · ‎06-26-2011

Hi Adtiya,

I got it working and you are right

what i did not test is the echo using packet-tracer, when i tested the echo it was dropped by implicit deny from the inside.

Cyrus