inside to outside ping in ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2009 08:30 AM - edited 03-11-2019 08:00 AM
Hi, I have configured an ASA recently. After finishig of basic configurations, I tried ping from inside to outside interface and vice versa. But ping is not successful. I was getting ?????. I have tried "icmp permit any OUTSIDE" and "icmp permit any INSIDE" in vain. Please help me with a solution.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2009 09:14 AM
Are you pinging from a host behind the ASA to a host outside the ASA?
If yes you need to enable ICMP inspection under the policy map:
policy-map global_policy
class inspection_default
inspect icmp
Or are you using the inside interface to ping the outside interface?
If yes this is not supported.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2009 11:17 AM
Hi,
The commands "icmp permit any OUTSIDE" and "icmp permit any INSIDE" control ICMP to the ASA itself.
To allow icmp through the ASA then use access-lists
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2009 11:19 AM
Here, try reading this for more information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2009 11:56 PM
Try enabling icmp inspect as per Ivan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2009 02:29 AM
Read but still not working, need more clarity about ASA permit and deny and also about ICMP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2009 02:37 AM
Hi,
Here are some configuration examples on how to get ICMP thorugh the ASA working.
access-list in_on_inside permit icmp any any echo
access-group in_on_inside in interface inside
access-list in_on_outside permit icmp any any echo-reply
access-group in_on_outside in interface outside
or
access-list in_on_inside permit icmp any any echo
access-group in_on_inside in interface inside
policy-map global_policy
class inspection_default
inspect icmp
Also, is nat-control disabled on your firewall? Yo ucan make sure by typing
no nat-control
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2009 07:54 AM
How are you trying to ping? Is it from a host behind asa to a host outside asa? or from the actual interfaces?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2009 08:16 AM
I am pinging from a switch and my Laptop behind ASA.
Just simply pissed off. Today it started pinging and I started testing failover, powered off my secondary ASA and since then it again stopped Pinging. I restarted my failover ASA but :(
PFA configuration of all the devices and let me know if you find any configuration issue in any of the device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2009 08:24 PM
Frnds, Thanks a lot for all your suggestions and help. The problem is solved. Apparently it was a routing loop problem causing the issue.
Ashish
