Solved

Need some help with pinging externally.

Posted on 2013-01-15
4
320 Views
Last Modified: 2013-03-01
I have two sites 192.168.16.x and 192.168.18.x linked by a VPN between 2 Cisco ASA's

I am on the 18 subnet and can ping all machines on the 18 subnet and the 16.
However I cannot ping externally.
I can get to the web fine - web traffic passes over the  vpn thru a proxy on the 16 subnet
Dns resolves fine but as soon as I try to poing outside - say ping www.bbc.co.uk i get timed out.

Tracert aint helping at all.

On the 16 subnet I can ping all 16 subnet machines. all 18 machines and externally wqith out issue.

Can someone assist with why ping wont bounce back. I had thought of static routes, but the firewall has a static route to the 18 subnet.

Thank you in advance
majic
0
Comment
Question by:Majicthise
  • 2
4 Comments
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
you need to explicitely permit icmp protocol on inside interface: for example:

access-list inside_interface permit icmp any any
access-list inside_interface permit ip any any
access-group inside_interface in interface inside

Should already have an access-list applied on inside interface, you just need to add up the following to your access-list:

access-list <your_already_existent_access-list> line 1 permit icmp any any

hope this helps
max
0
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
Comment Utility
Or on the global policy, make sure inspect icmp is configured.
0
 

Author Comment

by:Majicthise
Comment Utility
Thanks for the replies
ICMP is set on both devices, and on checking the counters, the rule is being hit.

I'm not sure how you do that Leeee?
Is that the same step the max is talking about?
0
 
LVL 5

Assisted Solution

by:Leeeee
Leeeee earned 500 total points
Comment Utility
There is a global inspection policy configured by default on the ASA. It's normally towards the bottom of the config. Since ICMP is not stateful, you will need to configure an ACL like max recommended to explicitly allow it, or enable inspection of the protocol in the global inspection policy on the ASA:

Here's a great reference regarding ICMP:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

For your reference, this is how you would configure ICMP inspection:
policy-map global_policy
    class inspection_default
     inspect icmp
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now