Solved

Allow ping to outside interface of ASA

Posted on 2009-07-02
8
2,834 Views
Last Modified: 2012-05-07
I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248 
!
interface GigabitEthernet0/2
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/3
 description EIGRP 2008
 nameif eigrp 
 security-level 100
 ip address 10.40.50.65 255.255.255.252 
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0 
 management-only
!             
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any 
access-list nat extended permit ip any any 
access-list allow_ping extended permit icmp any any echo-reply 
access-list allow_ping extended permit icmp any any source-quench 
access-list allow_ping extended permit icmp any any unreachable 
access-list allow_ping extended permit icmp any any time-exceeded 
access-list allow_ping extended permit udp any any eq isakmp 
access-list allow_ping extended permit esp any any 
access-list allow_ping extended permit ah any any 
access-list allow_ping extended permit gre any any 
access-list allow_ping extended permit tcp any any eq ssh 
access-list nonat extended permit ip any any 
access-list icmp_inside extended permit icmp any any 
access-list icmp_inside extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside

Open in new window

0
Comment
Question by:fgasimzade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:Donboo
ID: 24770585
From where are you doing the ping?
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24770628
From inside network
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772288
The ASA will not let you ping the distant interface from inside.  
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 18

Author Comment

by:fgasimzade
ID: 24776505
And there is no way to allow pings?
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24777102
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24782602
What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
ID: 24787395
It can´t route traffic on the same interface as a router can. Meaning it can´t route traffic to destinations if the return traffic dosn´t enter the same interface again.

If you have a LAN1 on the inside of the ASA and you also have a LAN2 located behind a router that has the IP address in the LAN1 and LAN2 and the LAN1 clients have DG to the ASA and the ASA has a route to LAN2, LAN1 and LAN2 wouldnt be able to communicate as the ASA can´t route traffic on the same interface. but if the DG of LAN1 was the router then there be no problem as its not session aware.

My own definition of routing is when a device forward a packet to a destination to the destination/next hop and forgets about it. Whereas the ASA forwards a packet to a destination/next hop and keeps track of the session in a table.

As for your issue its the same, you ping from the inside LAN to the IP address on the outside interface meaning the ASA would have to "Turn/route" the traffic back in the same interface and it can´t do that. The ASA is a firewall not a router.

I hope that clarified things for you.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24824152
With those explanations, is there anything else we can help with?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question