I tried permitting ICMP in the outside ACL. But still no luck.

I am running asa9.1(7).

CF

Do a "debug icmp trace" on the ASA while pinging to see if you get the pings from the host on internet.

I hope you don't have a static nat translating everything to an internal resource.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

I can't do a debug on the device since its production ASA. However, I created packet capture on the ASA. But it doesn't show any hits.

fw-01# sh access-list Test
access-list Test; 2 elements; name hash: 0x173428b0
access-list Test line 1 extended permit icmp host x.x.x.x any4 (hitcnt=0) 0x0b3d0029
access-list Test line 2 extended permit icmp any4 host x.x.x.x (hitcnt=0) 0x5c57c3b6

fw-01# sh capture
capture Test type raw-data access-list Test buffer 2000 interface outside headers-only [Capturing - 0 bytes]
fw-01#

Also, I have ran packet-tracer for ICMP type 8 code 0 from 4.2.2.2 to outside public IP:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

It shows that the packet will be allowed.

There is not static NAT to translate everything into internal.

CF

Is this ASA internet facing device ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Yes, it is.

Check if there are no drops on ASA (run "cap asp type asp-drop all" and do "show cap asp | in <ASA IP>" to check that),

BTW does any other service works (SSH/Telnet/HTTP) ?

Send the output of "show run nat " along with all object-groups associated with it.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi,

It seems we are getting ping drops on the ASA outside interface.

Use an asp-drop capture and also check the syslogs of the ASA.

Share the output of show cap asp | in outside IP

Regards,

Aditya

Please rate helpful posts.