Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
0
Helpful
5
Replies

ping through ASA

Go to solution
Kashish_Patel
Level 2
Level 2

‎06-07-2012 06:57 PM - edited ‎03-11-2019 04:16 PM

Could some security expert please help me understand icmp behavior for an ASA running 8.0 or 8.2?

My inside hosts (sitting behind the inside interface of ASA) can ping an external IP (on internet) . But when I ping that same external IP from the firewall, I don't get any reply.

Thanks,

Kashish

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-07-2012 08:05 PM

The reason why you can't ping from the ASA itself is because your ASA outside interface has private IP Address hence it's not routable on the Internet.

All your internal network has public IP assigned, therefore you can ping external host on the Internet.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-07-2012 07:18 PM

Do you have "icmp" command configured on your ASA that might be blocking it.

You can configure:

icmp permit any outside

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎06-07-2012 07:48 PM

As per packet tracer, ping should be successful.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group citrix-dmz1-perm-all-tmp in interface citrix-dmz1

access-list citrix-dmz1-perm-all-tmp extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1746235146, packet dispatched to next module

Phase: 7

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.244.16.185 using egress ifc outside

adjacency Active

next-hop mac address 0015.63e8.d3d1 hits 12697093

Result:

input-interface: citrix-dmz1

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Still only the inside hosts (sitting behind the inside interface of ASA) can ping an  external IP (on internet) . But when I ping that same external IP from  the firewall, I don't get any reply.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-07-2012 07:49 PM

Can you please share your config. Thx

0 Helpful

Go to solution
Kashish_Patel
Level 2
Level 2
In response to Jennifer Halim

‎06-07-2012 08:02 PM

Hi Jennifer,

I have sent you the config file as a private message.

Thanks,

Ritika

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Kashish_Patel

‎06-07-2012 08:05 PM

The reason why you can't ping from the ASA itself is because your ASA outside interface has private IP Address hence it's not routable on the Internet.

All your internal network has public IP assigned, therefore you can ping external host on the Internet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card