Solved

Allow ping to outside interface of ASA

Posted on 2009-07-02
8
2,812 Views
Last Modified: 2012-05-07
I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248 
!
interface GigabitEthernet0/2
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/3
 description EIGRP 2008
 nameif eigrp 
 security-level 100
 ip address 10.40.50.65 255.255.255.252 
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0 
 management-only
!             
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any 
access-list nat extended permit ip any any 
access-list allow_ping extended permit icmp any any echo-reply 
access-list allow_ping extended permit icmp any any source-quench 
access-list allow_ping extended permit icmp any any unreachable 
access-list allow_ping extended permit icmp any any time-exceeded 
access-list allow_ping extended permit udp any any eq isakmp 
access-list allow_ping extended permit esp any any 
access-list allow_ping extended permit ah any any 
access-list allow_ping extended permit gre any any 
access-list allow_ping extended permit tcp any any eq ssh 
access-list nonat extended permit ip any any 
access-list icmp_inside extended permit icmp any any 
access-list icmp_inside extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside

Open in new window

0
Comment
Question by:fgasimzade
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:Donboo
ID: 24770585
From where are you doing the ping?
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24770628
From inside network
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772288
The ASA will not let you ping the distant interface from inside.  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Author Comment

by:fgasimzade
ID: 24776505
And there is no way to allow pings?
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24777102
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24782602
What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
ID: 24787395
It can´t route traffic on the same interface as a router can. Meaning it can´t route traffic to destinations if the return traffic dosn´t enter the same interface again.

If you have a LAN1 on the inside of the ASA and you also have a LAN2 located behind a router that has the IP address in the LAN1 and LAN2 and the LAN1 clients have DG to the ASA and the ASA has a route to LAN2, LAN1 and LAN2 wouldnt be able to communicate as the ASA can´t route traffic on the same interface. but if the DG of LAN1 was the router then there be no problem as its not session aware.

My own definition of routing is when a device forward a packet to a destination to the destination/next hop and forgets about it. Whereas the ASA forwards a packet to a destination/next hop and keeps track of the session in a table.

As for your issue its the same, you ping from the inside LAN to the IP address on the outside interface meaning the ASA would have to "Turn/route" the traffic back in the same interface and it can´t do that. The ASA is a firewall not a router.

I hope that clarified things for you.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24824152
With those explanations, is there anything else we can help with?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question