Core issue

This can happen when the Internet Control Message Protocol (ICMP) is not enabled on the outer interface.

Resolution

Complete these steps in order to resolve this issue in PIX version 6.x:

1. Enable the ICMP on outer interface.
   
   
2. Issue these commands in sequence:
   
   access-list < allowicmp >  line 1 permit icmp any any echo
   access-list < allowicmp >  line 2 permit icmp any any unreachable
   access-list < allowicmp >  line 3 permit icmp any any time-exceeded
   access-list < allowicmp >  line 4 permit icmp any any source-quench
   access-list < allowicmp >  line 5 permit icmp any any
   

Note: The access-list  < allowicmp > command is bound on the outer interface.

In order to resolve this issue in PIX/ASA version 7.x, there are two options:

• You can use access-list as in version 6.x.
  
  
• Configure ICMP inspection.
  
  This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage to monitor the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy
    class inspection_default
     inspect icmp

Refer to Handling ICMP Pings and Traceroute with the PIX/ASA Firewall for more information.

Problem Type

Connectivity through the device

Product Family

Firewall - PIX 500 series

ASA Hardware & Software

PIX Software Version

PIX version 6.x

PIX version 7.x

ASA Software Version

7.0

7.1

7.2

PIX Model

PIX 500 Series Firewall

ASA Models

ASA 5510

ASA 5520

ASA 5540

ASA 5500

Client Location on Network with PIX

Inside

Protocol / Ports

Internet Control Message Protocol (ICMP)

Selected PIX or Router Commands

traceroute

access-list

Can You Ping...

Client cannot ping PIX outside interface