11-02-2017 11:17 PM - edited 02-21-2020 06:38 AM
I have an ASA with two WAN uplinks. The backup WAN is not pingable while the primary WAN is. However, I can SSH into the ASA on either uplink. I've seen a few articles saying that this behavior is expected and I was wondering if anyone could explain why I cannot ping the backup WAN even though I can SSH to it. Is there a routing condition that affects pings but not SSH in this case, or is there something else I am missing?
11-03-2017 04:50 AM
Hi @Matt
Firewall does not allow for ping on the outside interfaces for security reason. Most exploit tools use icmp response to make sure host is alive and start scratching.
If this is necessary for some reason try to allow it:
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any echo-reply outside
no icmp deny any outside
-If I helped you somehow, please, rate it as useful.-
11-03-2017 08:03 AM
Hi Flavio,
That ICMP access is already permitted. Both the WAN1 and WAN2 use the same access-group to permit this traffic so in this case I think it's something outside of the access rules causing it to be unpingable.
11-03-2017 01:14 PM
Are you inspecting icmp on this firewall ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide