Cannot ping through a Cisco ASA 5505 - why?

Posted on 2008-10-29
Last Modified: 2013-11-29
We are setting up a new extranet link.  The firewall to be used is the Cisco ASA5505.  At this

point we want to get basic connectivity tested.  In the past we have used PIX equipment but this

is our first ASA.

We are trying to ping through the firewall from Test PC to Test Router.  It does not work.
We can ping from Test PC to inside ASA.
We can ping from within the ASA to Test PC.
We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

   Test PC                  inside    ASA     outside                  Test Router -----  ---  -----

Below is the output from the commands sho ver, sho start and sho route.

wf03# sho ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

wf03 up 4 mins 37 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : ?CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: ?CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : ?CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 001d.70ff.eccc, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.ecc4, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.ecc5, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.ecc6, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.ecc7, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.ecc8, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.ecc9, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.ecca, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.eccb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Running Activation Key: xxxxxx xxxxxxxx xxxxxxxx xxxxxxx
Configuration register is 0x1
Configuration has not been modified since last system restart.


wf03# sho start
: Saved
: Written by enable_15 at 07:51:03.758 UTC Wed Oct 29 2008
ASA Version 8.0(4)
hostname wf03

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list OUTSIDE_IN remark Open the doors for testing
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN remark Deny everything else
access-list OUTSIDE_IN extended deny tcp any any
access-list OUTSIDE_IN extended deny udp any any
access-list INSIDE_IN remark Open the doors for testing
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list INSIDE_IN extended permit icmp any any echo-reply
access-list INSIDE_IN extended permit icmp any any time-exceeded
access-list INSIDE_IN extended permit icmp any any unreachable
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN remark Deny everything else
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context


wf03# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, outside
C is directly connected, _internal_loopback
C is directly connected, inside
S* [1/0] via, outside
Question by:dalva
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 22834132
You said;

We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

I said;
within the ASA, does that mean on the same network as Test PC? If so FW is working fine
is the default route set on test PC?

You do not need a ACL on te outside to allow traffic, inside to outside and back is allowed due to security levels

harbor235 ;}

Author Comment

ID: 22834971
When I say within the ASA it means logged into the ASA through the Console port.
Test PC default route is which is the inside port of ASA.

Any ideas?

Accepted Solution

bml104 earned 200 total points
ID: 22835673
config t
icmp permit any inside
icmp permit any outside
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 22835967
That solved my problem.
Let me see if I understand it.  ICMP is disabled by default.
Setting an ACL for ICMP sets up the rule but the ASA will not allow ICMP to flow unit it is turned on with icmp permit...

You need to have the ACL and icmp permit... to make it work.  One without the other will not work.

Am I correct?
LVL 32

Expert Comment

ID: 22836688

icmp commands are for traffic the terminates at the FW not through it, so if you initiate a ping from the FW it is not allowed unless you use icmp commands.  Someone on the inside of the firewall can ping to the outside and back based on security levels without ACLs

traffic from a higher security level to a lower security level is allowed by default
traffic from a lower security level to a higher is not allowed by default and requires ACLS to allow

Just need to clarify what was happening

harbor235 ;}

Expert Comment

ID: 22851565
ICMP is like SSH or HTTP access. You just need to enable it with the command, no ACLs are needed.
LVL 32

Expert Comment

ID: 22851825

That is incorrect, ICMP to the firewall is like ssh or http access to the firewall. ICMP through the firewall is different and requires an ACL if originated from the outside. IF it is originated from the inside then the FW will approximate tcp/udp//icmp connections and will allow it
because it was originated from a trusted network, the inside. The traffic flowed from a higher security level to a lower security level.

harbor235 ;}

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN Configuration on Cisco Switch 8 48
FTP server backups 5 74
Ping in Fortigate 2 56
FTP through ASA 9.5 1 38
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question