Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
3
Replies

Backup WAN is not pingable on ASA

Matt
Level 1
Level 1

‎11-02-2017 11:17 PM - edited ‎02-21-2020 06:38 AM

I have an ASA with two WAN uplinks. The backup WAN is not pingable while the primary WAN is. However, I can SSH into the ASA on either uplink. I've seen a few articles saying that this behavior is expected and I was wondering if anyone could explain why I cannot ping the backup WAN even though I can SSH to it. Is there a routing condition that affects pings but not SSH in this case, or is there something else I am missing?

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎11-03-2017 04:50 AM

Hi @Matt

Firewall does not allow for ping on the outside interfaces for security reason. Most exploit tools use icmp response to make sure host is alive and start scratching.

 If this is necessary for some reason try to allow it:

 

icmp permit any unreachable outside

icmp permit any time-exceeded outside

icmp permit any echo-reply outside

no icmp deny any outside

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Matt
Level 1
Level 1
In response to Flavio Miranda

‎11-03-2017 08:03 AM

Hi Flavio,

 

That ICMP access is already permitted. Both the WAN1 and WAN2 use the same access-group to permit this traffic so in this case I think it's something outside of the access rules causing it to be unpingable.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Matt

‎11-03-2017 01:14 PM

Are you inspecting icmp on this firewall ?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card