Solved

Allow ping to outside interface of ASA

Posted on 2009-07-02
8
2,814 Views
Last Modified: 2012-05-07
I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248 
!
interface GigabitEthernet0/2
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/3
 description EIGRP 2008
 nameif eigrp 
 security-level 100
 ip address 10.40.50.65 255.255.255.252 
!             
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0 
 management-only
!             
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any 
access-list nat extended permit ip any any 
access-list allow_ping extended permit icmp any any echo-reply 
access-list allow_ping extended permit icmp any any source-quench 
access-list allow_ping extended permit icmp any any unreachable 
access-list allow_ping extended permit icmp any any time-exceeded 
access-list allow_ping extended permit udp any any eq isakmp 
access-list allow_ping extended permit esp any any 
access-list allow_ping extended permit ah any any 
access-list allow_ping extended permit gre any any 
access-list allow_ping extended permit tcp any any eq ssh 
access-list nonat extended permit ip any any 
access-list icmp_inside extended permit icmp any any 
access-list icmp_inside extended permit ip any any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu eigrp 1500
mtu management 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group allow_ping in interface outside

Open in new window

0
Comment
Question by:fgasimzade
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:Donboo
ID: 24770585
From where are you doing the ping?
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24770628
From inside network
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772288
The ASA will not let you ping the distant interface from inside.  
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 18

Author Comment

by:fgasimzade
ID: 24776505
And there is no way to allow pings?
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24777102
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24782602
What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
ID: 24787395
It can´t route traffic on the same interface as a router can. Meaning it can´t route traffic to destinations if the return traffic dosn´t enter the same interface again.

If you have a LAN1 on the inside of the ASA and you also have a LAN2 located behind a router that has the IP address in the LAN1 and LAN2 and the LAN1 clients have DG to the ASA and the ASA has a route to LAN2, LAN1 and LAN2 wouldnt be able to communicate as the ASA can´t route traffic on the same interface. but if the DG of LAN1 was the router then there be no problem as its not session aware.

My own definition of routing is when a device forward a packet to a destination to the destination/next hop and forgets about it. Whereas the ASA forwards a packet to a destination/next hop and keeps track of the session in a table.

As for your issue its the same, you ping from the inside LAN to the IP address on the outside interface meaning the ASA would have to "Turn/route" the traffic back in the same interface and it can´t do that. The ASA is a firewall not a router.

I hope that clarified things for you.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24824152
With those explanations, is there anything else we can help with?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question