Cannot ping through a Cisco ASA 5505 - why?

Posted on 2008-10-29
Last Modified: 2013-11-29
We are setting up a new extranet link.  The firewall to be used is the Cisco ASA5505.  At this

point we want to get basic connectivity tested.  In the past we have used PIX equipment but this

is our first ASA.

We are trying to ping through the firewall from Test PC to Test Router.  It does not work.
We can ping from Test PC to inside ASA.
We can ping from within the ASA to Test PC.
We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

   Test PC                  inside    ASA     outside                  Test Router -----  ---  -----

Below is the output from the commands sho ver, sho start and sho route.

wf03# sho ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

wf03 up 4 mins 37 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : ?CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: ?CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : ?CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 001d.70ff.eccc, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.ecc4, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.ecc5, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.ecc6, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.ecc7, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.ecc8, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.ecc9, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.ecca, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.eccb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Running Activation Key: xxxxxx xxxxxxxx xxxxxxxx xxxxxxx
Configuration register is 0x1
Configuration has not been modified since last system restart.


wf03# sho start
: Saved
: Written by enable_15 at 07:51:03.758 UTC Wed Oct 29 2008
ASA Version 8.0(4)
hostname wf03

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list OUTSIDE_IN remark Open the doors for testing
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN remark Deny everything else
access-list OUTSIDE_IN extended deny tcp any any
access-list OUTSIDE_IN extended deny udp any any
access-list INSIDE_IN remark Open the doors for testing
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list INSIDE_IN extended permit icmp any any echo-reply
access-list INSIDE_IN extended permit icmp any any time-exceeded
access-list INSIDE_IN extended permit icmp any any unreachable
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN remark Deny everything else
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context


wf03# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, outside
C is directly connected, _internal_loopback
C is directly connected, inside
S* [1/0] via, outside
Question by:dalva
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 22834132
You said;

We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

I said;
within the ASA, does that mean on the same network as Test PC? If so FW is working fine
is the default route set on test PC?

You do not need a ACL on te outside to allow traffic, inside to outside and back is allowed due to security levels

harbor235 ;}

Author Comment

ID: 22834971
When I say within the ASA it means logged into the ASA through the Console port.
Test PC default route is which is the inside port of ASA.

Any ideas?

Accepted Solution

bml104 earned 200 total points
ID: 22835673
config t
icmp permit any inside
icmp permit any outside
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 22835967
That solved my problem.
Let me see if I understand it.  ICMP is disabled by default.
Setting an ACL for ICMP sets up the rule but the ASA will not allow ICMP to flow unit it is turned on with icmp permit...

You need to have the ACL and icmp permit... to make it work.  One without the other will not work.

Am I correct?
LVL 32

Expert Comment

ID: 22836688

icmp commands are for traffic the terminates at the FW not through it, so if you initiate a ping from the FW it is not allowed unless you use icmp commands.  Someone on the inside of the firewall can ping to the outside and back based on security levels without ACLs

traffic from a higher security level to a lower security level is allowed by default
traffic from a lower security level to a higher is not allowed by default and requires ACLS to allow

Just need to clarify what was happening

harbor235 ;}

Expert Comment

ID: 22851565
ICMP is like SSH or HTTP access. You just need to enable it with the command, no ACLs are needed.
LVL 32

Expert Comment

ID: 22851825

That is incorrect, ICMP to the firewall is like ssh or http access to the firewall. ICMP through the firewall is different and requires an ACL if originated from the outside. IF it is originated from the inside then the FW will approximate tcp/udp//icmp connections and will allow it
because it was originated from a trusted network, the inside. The traffic flowed from a higher security level to a lower security level.

harbor235 ;}

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 98
Is this QoS Correct on this  CISCO 3825 Router 1 68
Connecting a New Subnet to Network 4 28
Cisco 3800 series and WISM2 1 13
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question