Re: I cannot Ping my ASA outside Interface

daffydee88 · ‎07-02-2019

Hello Engineers,

Please i am having an issue which i feel might be a bug.

I cannot ping my ASA 5515 outside interface.

i have enabled : icmp permit any outside

When i ping the outside interface the get the Logs below:

Jul 02 2019 19:32:25 192.168.15.3 : %ASA-3-313001: Denied ICMP type=8, code=0 from 41.216.166.82 on interface outside

Jul 02 2019 19:32:27 192.168.15.3 : %ASA-3-313001: Denied ICMP type=8, code=0 from 41.216.166.82 on interface outside

Jul 02 2019 19:32:29 192.168.15.3 : %ASA-3-313001: Denied ICMP type=8, code=0 from 41.216.166.82 on interface outside

Jul 02 2019 19:32:31 192.168.15.3 : %ASA-3-313001: Denied ICMP type=8, code=0 from 41.216.166.82 on interface outside

I have permitted icmp on the outside interface as:

access-list OUT-IN extended permit icmp any any

But i still cannot ping the outside interface and when i initiate ping to the internet i get:

ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

please help

Rob Ingram · ‎07-02-2019

Hi,
Where are you pinging the ASA from? If you are behind the inside interface and ping the outside interface, then by design the ASA will not respond to a ping.

As far as pinging the internet, enable ICMP inspection:-

policy-map global_policy
class inspection_default
inspect icmp

HTH

daffydee88 · ‎07-02-2019

I am pinging from the ASA while connected to the device via ssh.

inspect icmp is configured on the global policy-map

herm · ‎07-02-2019

is your outside interface route to wan gw?
cli: sh run route
route outside 0.0.0.0 0.0.0.0 123.456.123.678 (how mine looks)
i get that issue you are having when i dont route the outside interface to the wan gateway.

daffydee88 · ‎07-02-2019

I have default route to the internet installed on the routing table.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

how ever, when i do:

sh route outside 8.8.8.8

ERROR:

% Network not in table

Can this be the cause?

GRANT3779 · ‎07-03-2019

Is your Outside interface actually up?

Show inter ip brief

daffydee88 · ‎07-03-2019

Yes my Outside interface is up.

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 x.x.x.x YES CONFIG up up

GigabitEthernet0/0.10 x.x.x.x YES CONFIG up up

GigabitEthernet0/1 x.x.x.x YES CONFIG up up

GigabitEthernet0/2 x.x.x.x YES CONFIG up up

GigabitEthernet0/3 unassigned YES unset administratively down down

GigabitEthernet0/4 unassigned YES unset administratively down down

GigabitEthernet0/5 unassigned YES unset administratively down down

GRANT3779 · ‎07-03-2019

Which is the Outside Interface?
Also not entirely sure where you are pinging from/what your are pinging?
You mentioned you are pinging from the ASA itself? What are you trying to Ping? An Internet address from the ASA rather than the ASA 'outside' interface? Or are you trying to ping the physical Outside interface address from somewhere? Slightly confused as to what is being pinged and from where exactly.

daffydee88 · ‎07-03-2019

Hi,

I am pinging from the ASA to an address on the internet , for example www.google.com.

I am also pinging the ASA outside interface from a remote device i have on the internet.

All of which is failing.

GRANT3779 · ‎07-03-2019

I'm assuming at this point you don't have Internet access from any network behind the LAN side on Firewall?
What is your default gw? An ISP connected device? Is this directly connected or a switch in between? What is your actual outside interface on the asa? I notice you have sub interface for one of them, Gi0/0. What is the output of show arp? Do you see your default gateway IP in the arp table? Without knowing how this is connected or seeing the config we can only best make assumptions on certain thngs. More info you can provide the easier it should be to figure this out.