Solved: Ping through ASA

ayman emara · ‎12-05-2009

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

Jon Marshall · ‎12-05-2009

207558867 wrote:

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

Ayman

The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.

Have a look at this document which covers how to allow ping through an ASA/Pix firewall -

ASA ping

Can the interfaces ping each other - no they can't.

Jon

View solution in original post

Conor Cunningham · ‎12-06-2009

Hi Yehia,

I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.

On my ASA 5505 in my home lab I have the following;

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

!

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global

Hope that helps.

Conor

View solution in original post

Jon Marshall · ‎12-05-2009

207558867 wrote:

i have a problem as i permitted PING by the following commands:

icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside

i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)

and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??

Thanks In Advance

Ayman Yehia

Ayman

The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.

Have a look at this document which covers how to allow ping through an ASA/Pix firewall -

ASA ping

Can the interfaces ping each other - no they can't.

Jon

Conor Cunningham · ‎12-06-2009

Hi Yehia,

I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.

On my ASA 5505 in my home lab I have the following;

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

!

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global

Hope that helps.

Conor

ayman emara · ‎12-06-2009

Thanks alot adding the ICMP to the inspection already did it

JaggerSystems · ‎03-16-2023

For me it was the security-level of the interface was too high. A quick test of this by changing to the same security-level resolved the access. An ACL was put in place on the interface to secure traffic.