cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
11
Replies

Outside Interface IP not reachable

mikeysee2868
Level 1
Level 1

I have set up an ASA5505 with a basic configuration. Everything internally works great, but if I try to ping the outside interface from an external location, I am unable to do so. I will be using the external ip to access the vpn from another location. I'm sure there is something simple that I am missing here. I have attached my configuration. Any help would be greatly appreciated.

Mike

11 Replies 11

Collin Clark
VIP Alumni
VIP Alumni

You need to configure an ACL to allow it and then apply it to the outside interface.

access-list outside_access permit icmp any any

access-group outside_access in interface outside

THIS IS JUST AN EXAMPLE, you should not permit icmp any any.

HTH and please rate.

Thanks for the reply. I added the ACL's but they did not correct the issue. When I look at the ASDM, it shows an implicit rule that appears to be denying all incoming traffic on the outside interface. I don't see a way of eliminating this rule.

Please post your updated config.

here it is...

Can you also post a screen shot in ASDM of the ACL that's blocking? I don't see an ACL in the config (unless ADSM shows the default deny). Thanks.

here it is. Not sure if this implicit rule is supposed to be superceded by the explicit rule or not.

One other item to note is that when I try to ping the outside interface, I noticed in the log that I get the following denial...

"Deny IP spoof from xx.xx.xx.xx to on interface outside". I looked at my IP spoof settings and they are turned off.

Can you telnet/ssh into the box and enter the ACL I provided? I never use ADSM and can not speak intelligently about it or it's functionality.

Yes. I entered the ACL that way and the same result, I am unable to ping the outside interface, but I receive an IP spoofing error and the packets are dropped.

cfreebourne
Level 1
Level 1

icmp permit any

The access-list permitting icmp is to allow ICMP/ping packet to pass through firewall to the other segment/end.

The "icmp {permit | deny} ip_address net_mask [icmp_type] if_name " is the command used to allow PIX/ASA to response to ping when it's directed to its interface. You can specify different icmp message type, i.e echo, echo-reply, etc

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

hostname(config)# icmp permit host 172.16.2.15 echo-reply outside

hostname(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside

hostname(config)# icmp permit any unreachable outside