Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16521
Views
10
Helpful
7
Replies

Can't Ping ASA different interfaces

Jayesh Rajan
Level 1
Level 1

‎05-24-2012 09:44 AM - edited ‎03-11-2019 04:11 PM

                   We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.

I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?

We are not doing any natting in firewall, for that we used the Load Balancer.

Thanks...

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-24-2012 10:48 AM

Hello Jayesh,

The ASA as a security device will not allow you to ping  a distant interface....

What is a distant interface?

As an example imagine you are on a host behind the inside interface.. You will be able to ping the inside interface but you wil NOT be able to ping the DMZ or outside interface... This because they are distant interface for the inside host..

There is nothing you can do to change that behavior, this is done as a security meassure by the ASA ( Built-in feature)

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jong_r0602
Level 1
Level 1
In response to Julio Carvajal

‎05-25-2012 10:13 AM

Hi Jayesh,

Julio is right that pingis not allowed by default. But you can still allow the PING by allowing ICMP in your access-list DMZ for specific host. You need also to allow ICMP from DMZ inteface.

ASA(config)# icmp permit host xxxx echo DMZ

ASA(config)# access-list DMZ-In extended permit icmp xxxx(DMZ host) host yyyy(inside host)

Thanks,

Jong

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jong_r0602

‎05-25-2012 02:10 PM

Hello Jong,

I think he is refering to ping the DMZ interface from the inside.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jong_r0602
Level 1
Level 1
In response to Julio Carvajal

‎05-25-2012 02:22 PM

Hi Julio,

      Oh yes.. its the interface and not the host. Your correct, ping is not allowed for this scenario.

Regards,

Jong

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jong_r0602

‎05-25-2012 04:38 PM

Hello Jong,

Yep, that is right.

Have a good one!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jayesh Rajan
Level 1
Level 1

‎06-09-2012 11:30 PM

Thanks All....

Is there any cisco document is available where this mentioned?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card