Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
10
Helpful
4
Replies

Ping outside interface

Go to solution
billybong
Level 1
Level 1

‎01-13-2022 09:10 AM

Hi could some one look over my very basic config and give me a clue as to why i can't ping from an inside interface to the outside

 

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.2.3 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
vlan 1
nameif Inside1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/1.170
vlan 170
nameif Inside170
security-level 100
ip address 192.170.1.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.100.126 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network INSIDE1
subnet 192.168.1.0 255.255.255.0
object network obj_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_192.170.1.0
subnet 192.170.1.0 255.255.255.0
object network obj_192.168.100.0
subnet 192.168.100.0 255.255.255.0
pager lines 24
mtu management 1500
mtu Outside 1500
mtu Inside1 1500
mtu Inside170 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_192.168.1.0
nat (Inside1,Outside) dynamic interface
object network obj_192.170.1.0
nat (Inside170,Outside) dynamic interface
object network obj_192.168.100.0
nat (management,Outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3b70dfde577640bfaf3ba4c8df17a979
: end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to billybong

‎01-13-2022 09:38 AM - edited ‎01-13-2022 09:50 AM

@billybong I can see something wrong, you need to permit the return icmp traffic by using either of my suggestions above. Without either inspecting icmp traffic or an inbound ACL the return icmp traffic will be denied.

 

Also I assume you mean you are pinging a device on the outside of the ASA on the internet? If you are pinging the ASA's outside interface when connected to the inside, that will never work by design. The ASA will not allow pinging through the device to one of the ASA's interface.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-13-2022 09:13 AM

@billybong enable icmp inspection using the CLI command "fixup protocol icmp" or create an inbound ACL on the outside interface to permit the return icmp traffic.

 

 

0 Helpful

Go to solution
billybong
Level 1
Level 1
In response to Rob Ingram

‎01-13-2022 09:34 AM

Thanks for the reply Rob, so you can't see anything wrong with my config, i have 2 subinterface serving 2 vlans but i still can't ping the outside from inside the networks

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to billybong

‎01-13-2022 09:38 AM - edited ‎01-13-2022 09:50 AM

@billybong I can see something wrong, you need to permit the return icmp traffic by using either of my suggestions above. Without either inspecting icmp traffic or an inbound ACL the return icmp traffic will be denied.

 

Also I assume you mean you are pinging a device on the outside of the ASA on the internet? If you are pinging the ASA's outside interface when connected to the inside, that will never work by design. The ASA will not allow pinging through the device to one of the ASA's interface.

Go to solution
paul driver
VIP
VIP

‎01-13-2022 09:48 AM - edited ‎01-13-2022 09:53 AM

Hello
Icmp is classless as such it’s not subject to the fws inspection enable this  via and access-list and access group or via global policy 

 

policy-map global_policy
class inspection_default
inspect icmp

 

or

 

access-list 105 permit icmp any any eq echo-reply

access-group 105 in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card