from inside LAN user are not able to ping outside world with Cisco ASA active-active failover

Posted on 2009-04-16
Last Modified: 2013-11-05
We have created two context one "context-a" and another one "context-b" in the primary asa5520 and failover is working properly with secondary asa5520 but users can't communicate with the outside . But from Primary ASA's context-a and admin context we are able to ping outside like with outside interface we are able to ping any public ip, (right now we are not using context-b). If we are trying ping from user pc then we are not able to ping to the outside. Right now we are using only one isp link and the gateway is We have attach one pc to primar asa's inside port and given ip to the user pc is from pc we are only able to inside ip of the primay asa nothing else.

Admin context:
Inside: standby
outside: /27 standby
DMZ: /24 standby
Default gateway of outside:

Context-a IP:
Inside: standby
outside: /27 standby
DMZ: /24 standby
Default gateway of outside:

Total all context from primary asa was replicated to the secondary asa. But we are not able to get internet access from inside zone.
We are trying to trouble shot from asdm's packet tracer where souce ip was inside ip from context-a and destination ip and result output showing packet was blocked by Access-List.
Please give us a solution.
Question by:futurenetwings
    1 Comment
    LVL 15

    Accepted Solution

    Ping is stateless to the firewall, and as such the replies aren't allowed back in by default.  Try to enable icmp inspection and see if you can ping then:

    policy-map global_policy
     class inspection_default
       inspect icmp

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now