Link to home
Start Free TrialLog in
Avatar of fgasimzade
fgasimzadeFlag for Azerbaijan

asked on

Allow ping to outside interface of ASA

I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248 
!
interface GigabitEthernet0/2
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/3
 description EIGRP 2008
 nameif eigrp 
 security-level 100
 ip address 10.40.50.65 255.255.255.252 
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0 
 management-only
!             
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any 
access-list nat extended permit ip any any 
access-list allow_ping extended permit icmp any any echo-reply 
access-list allow_ping extended permit icmp any any source-quench 
access-list allow_ping extended permit icmp any any unreachable 
access-list allow_ping extended permit icmp any any time-exceeded 
access-list allow_ping extended permit udp any any eq isakmp 
access-list allow_ping extended permit esp any any 
access-list allow_ping extended permit ah any any 
access-list allow_ping extended permit gre any any 
access-list allow_ping extended permit tcp any any eq ssh 
access-list nonat extended permit ip any any 
access-list icmp_inside extended permit icmp any any 
access-list icmp_inside extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside

Open in new window

Avatar of Donboo
Donboo
Flag of Denmark image
From where are you doing the ping?
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

From inside network
Avatar of MikeKane
MikeKane
Flag of United States of America image
The ASA will not let you ping the distant interface from inside.  
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

And there is no way to allow pings?
Avatar of Donboo
Donboo
Flag of Denmark image
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

ASKER

What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
ASKER CERTIFIED SOLUTION
Avatar of Donboo
Donboo
Flag of Denmark image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MikeKane
MikeKane
Flag of United States of America image
With those explanations, is there anything else we can help with?