cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1454
Views
0
Helpful
4
Replies

Outside host cannot ping host in DMZ even with ACLs configured for ICMP

Waterbird
Level 1
Level 1

This is an ASA access list question. Why am I not able to ping the host in the DMZ from the host in the OUTSIDE? I have ACL's configured to allow ICMP, so not sure what I'm missing here.

 

 

4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Try the following configuration command:

!
fixup protocol icmp
!

...to enable inspection of ICMP.

 

cheers,

Seb.

Thanks, however applying that command did not change the behavior.  Also, i had already added "inspect icmp" to the MPF.  

1. Check Identity NAT rule on ASA

2. Check  route on Client

3. Check, if there is personal FW on Client

Ashley Hare
Level 1
Level 1

Hi there,


Would it be possible to share more of the config?

 

Musing, but let me know if any of the following isn't on track -

 

  • Switch 2 is a layer 2 switch and e0/e2 are on the same VLAN.
  • Your DHCP client obtains an IP on the same subnet as the outside interface of the ASA.
  • Your obtained default gateway on the DHCP client is that of the ASA's outside interface.
  • Your ASA outside interface is not shutdown, has the correct name assigned, security-level assigned and has the correct IP address/mask applied.
  • Ditto with your DMZ interface.
  • Your DMZ host also has the correct default gateway assigned, and is pingable from the ASA's DMZ interface.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: