Solved

Allow ping to outside interface of ASA

Posted on 2009-07-02
8
2,798 Views
Last Modified: 2012-05-07
I have read through a number of threats, but it didnt work for me.. I still can not ping outiside interface.
Here is my config, please advice.


hostname gyd-asa

enable password XeY1QWHKPK75Y48j encrypted

passwd XeY1QWHKPK75Y48j encrypted

names

dns-guard

!

interface GigabitEthernet0/0

 no nameif

 security-level 100

 no ip address

!

interface GigabitEthernet0/1

 nameif outside

 security-level 0

 ip address 10.254.17.9 255.255.255.248 

!

interface GigabitEthernet0/2

 no nameif

 security-level 100

 no ip address

!

interface GigabitEthernet0/3

 description EIGRP 2008

 nameif eigrp 

 security-level 100

 ip address 10.40.50.65 255.255.255.252 

!             

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.251.1 255.255.255.0 

 management-only

!             

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any 

access-list nat extended permit ip any any 

access-list allow_ping extended permit icmp any any echo-reply 

access-list allow_ping extended permit icmp any any source-quench 

access-list allow_ping extended permit icmp any any unreachable 

access-list allow_ping extended permit icmp any any time-exceeded 

access-list allow_ping extended permit udp any any eq isakmp 

access-list allow_ping extended permit esp any any 

access-list allow_ping extended permit ah any any 

access-list allow_ping extended permit gre any any 

access-list allow_ping extended permit tcp any any eq ssh 

access-list nonat extended permit ip any any 

access-list icmp_inside extended permit icmp any any 

access-list icmp_inside extended permit ip any any 

pager lines 24

logging asdm informational

mtu outside 1500

mtu eigrp 1500

mtu management 1500

no failover   

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

access-group allow_ping in interface outside

Open in new window

0
Comment
Question by:fgasimzade
  • 3
  • 3
  • 2
8 Comments
 
LVL 9

Expert Comment

by:Donboo
ID: 24770585
From where are you doing the ping?
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24770628
From inside network
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24772288
The ASA will not let you ping the distant interface from inside.  
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24776505
And there is no way to allow pings?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 9

Expert Comment

by:Donboo
ID: 24777102
No the ASA cannot route therefore it cannot turn traffic directed to its outside interfaces, unlike a router, from the inside interfaces.

Meaning you can only ping  the closest interface, Its by design.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24782602
What do you mean saying that ASA cannot route? It can, I have eigrp configured on it
0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
ID: 24787395
It can´t route traffic on the same interface as a router can. Meaning it can´t route traffic to destinations if the return traffic dosn´t enter the same interface again.

If you have a LAN1 on the inside of the ASA and you also have a LAN2 located behind a router that has the IP address in the LAN1 and LAN2 and the LAN1 clients have DG to the ASA and the ASA has a route to LAN2, LAN1 and LAN2 wouldnt be able to communicate as the ASA can´t route traffic on the same interface. but if the DG of LAN1 was the router then there be no problem as its not session aware.

My own definition of routing is when a device forward a packet to a destination to the destination/next hop and forgets about it. Whereas the ASA forwards a packet to a destination/next hop and keeps track of the session in a table.

As for your issue its the same, you ping from the inside LAN to the IP address on the outside interface meaning the ASA would have to "Turn/route" the traffic back in the same interface and it can´t do that. The ASA is a firewall not a router.

I hope that clarified things for you.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24824152
With those explanations, is there anything else we can help with?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now