Solved: What are you trying exactly?

Joseph Oloyede · ‎08-21-2014

Why can't the inside interface with a higher security level on ASA 5545 ping the DMZ interface with a lower security level. No NAT is configured. I expect by default, i should be able to ping a lower security level from an higher security level interface on the ASA.

Karsten Iwen · ‎08-21-2014

What are you trying exactly? Ping a system on the lower security-level or the lower security-level ASA-interface? The later is not supported on the ASA. Then test it with a ping to a system in the DMZ.

View solution in original post

Karsten Iwen · ‎08-21-2014

If there is no ACL applied to the higher interface that denies the traffic, then the higher security-system can ping the system on the lower level. But with the ASA-defaults, ICMP is not stateful and the replies are dropped. To make it staeful you have to extend your default policy-map:

policy-map global_policy class inspection_default inspect icmp

Joseph Oloyede · ‎08-21-2014

Hello Karsten,

Thanks for the reply, have included the command, but still cannot ping the lower interface.

Karsten Iwen · ‎08-21-2014

What are you trying exactly? Ping a system on the lower security-level or the lower security-level ASA-interface? The later is not supported on the ASA. Then test it with a ping to a system in the DMZ.

Joseph Oloyede · ‎08-21-2014

Hello Karsten,

Thanks a lot. I was pinging the lower security level on the ASA-interface. I can ping a system in the DMZ now.