Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

PC can't ping downstream networks

cameronjohn
Level 1
Level 1

‎11-14-2007 04:30 AM - edited ‎03-09-2019 07:23 PM

I have an ASA5505 and have setup rip v2 on it. I have some downstream routers set up connected off one of the ASA switchports

ASA(INSIDE)10.17.34.1 --- 10.17.34.10Gateway_rtr172.31.1.1 --- 172.31.1.2Router1 etc

From the ASA i can ping any where but from the PC i cannot ping the 172.31.1.1 network even though the Gateway router is directly connected and has that route.i can ping the 10.17.34.10 ip only

Debugging shows:

Nov 14 2007 21:49:34: %ASA-3-106014: Deny inbound icmp src inside:10.17.34.2 dst inside:172.31.1.1 (type 8, code 0)

Nov 14 2007 22:25:56: %ASA-3-106014: Deny inbound icmp src inside:10.17.34.2 dst inside:172.31.1.1 (type 0, code 0)

There is no acl's on the router from the LAN and all seems correct from the client.

ICMP inspection is enabled.

Am I missing something. Software release is ver 8.0(2)

thanks,

John

Labels:
0 Helpful
1 Reply 1

thefindjack
Level 1
Level 1

‎11-14-2007 12:04 PM

By default PIX or ASA does NOT allow ICMP....here is a really good document that explains it and how to configure the firewall to allow ICMP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Please rate if this help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents