Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7123
Views
0
Helpful
7
Replies

Cannot Ping www.google.com but the Internet works

cjsunderland
Level 1
Level 1

‎01-12-2012 02:19 PM - edited ‎03-11-2019 03:13 PM

I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping www.google.com, and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly. What can I do on my ASA to resolve this?

Labels:
0 Helpful
7 Replies 7

varrao
Level 10
Level 10

‎01-12-2012 02:22 PM

Hi Chris,

can you add "inspect icmp" in the policy-map and try again??/

policy-map global_policy

class inspection_default

   inspect icmp

let me know if it works after this.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cjsunderland
Level 1
Level 1
In response to varrao

‎01-12-2012 02:34 PM

Is this done from global configuration mode?

0 Helpful

varrao
Level 10
Level 10
In response to cjsunderland

‎01-12-2012 02:37 PM

Yes that is correct:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

It should work after this

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cjsunderland
Level 1
Level 1
In response to cjsunderland

‎01-12-2012 02:42 PM

hou-fw(config)# policy-map global_policy

hou-fw(config)# class inspection_default

hou-fw(config-cmap)# inspect icmp

                                  ^

ERROR: % Invalid input detected at '^' marker. hou-fw(config)# class inspection_default

This is what I get

0 Helpful

varrao
Level 10
Level 10
In response to cjsunderland

‎01-12-2012 02:58 PM

Hi Chris,

Not sure if you have a policy-map global_policy configured, you can chcek that by the command:

show run policy-map

Chcek what policy-map do you have, under that policy map you would have a class map as well, go into that and then do inspect icmp.

Like mine has:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

So I do:

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

Another way to do it would be to allow the ping replies on the ACL that you have applied on teh outside interface, for that you need to first chcek the name of the access-list that is applied on the outside interface, first do:

show run access-group

it shoudl do:

access-group outside_in in interface outside

then add the acl:

access-list outside_in permit icmp any any

and it shoudl start pinging after that.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cjsunderland
Level 1
Level 1
In response to varrao

‎01-12-2012 03:08 PM

I have

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

0 Helpful

varrao
Level 10
Level 10
In response to cjsunderland

‎01-12-2012 03:36 PM

Then you just need to get into the policy-map and then class and apply the inspection.

ASA(config)#policy-map global_policy

ASA(config-pmap)# class inpsection_default

ASA(config-pmap-c)# inspect icmp

If this does not go right then may be somewhere something is not done correct or you can also try my ACL suggestion.

PS - Have a look at the things that I have in bold, you shoudl get the same while using the commands.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top