Allow ping to outside interface of ASA

I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248 
!
interface GigabitEthernet0/2
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/3
 description EIGRP 2008
 nameif eigrp 
 security-level 100
 ip address 10.40.50.65 255.255.255.252 
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0 
 management-only
!             
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any 
access-list nat extended permit ip any any 
access-list allow_ping extended permit icmp any any echo-reply 
access-list allow_ping extended permit icmp any any source-quench 
access-list allow_ping extended permit icmp any any unreachable 
access-list allow_ping extended permit icmp any any time-exceeded 
access-list allow_ping extended permit udp any any eq isakmp 
access-list allow_ping extended permit esp any any 
access-list allow_ping extended permit ah any any 
access-list allow_ping extended permit gre any any 
access-list allow_ping extended permit tcp any any eq ssh 
access-list nonat extended permit ip any any 
access-list icmp_inside extended permit icmp any any 
access-list icmp_inside extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside

Open in new window

LVL 18
fgasimzadeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonbooCommented:
From where are you doing the ping?
0
fgasimzadeAuthor Commented:
From inside network
0
MikeKaneCommented:
The ASA will not let you ping the distant interface from inside.  
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

fgasimzadeAuthor Commented:
And there is no way to allow pings?
0
DonbooCommented:
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
0
fgasimzadeAuthor Commented:
What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
0
DonbooCommented:
It can´t route traffic on the same interface as a router can. Meaning it can´t route traffic to destinations if the return traffic dosn´t enter the same interface again.

If you have a LAN1 on the inside of the ASA and you also have a LAN2 located behind a router that has the IP address in the LAN1 and LAN2 and the LAN1 clients have DG to the ASA and the ASA has a route to LAN2, LAN1 and LAN2 wouldnt be able to communicate as the ASA can´t route traffic on the same interface. but if the DG of LAN1 was the router then there be no problem as its not session aware.

My own definition of routing is when a device forward a packet to a destination to the destination/next hop and forgets about it. Whereas the ASA forwards a packet to a destination/next hop and keeps track of the session in a table.

As for your issue its the same, you ping from the inside LAN to the IP address on the outside interface meaning the ASA would have to "Turn/route" the traffic back in the same interface and it can´t do that. The ASA is a firewall not a router.

I hope that clarified things for you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKaneCommented:
With those explanations, is there anything else we can help with?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.