Solved

Need some help with pinging externally.

Posted on 2013-01-15
4
322 Views
Last Modified: 2013-03-01
I have two sites 192.168.16.x and 192.168.18.x linked by a VPN between 2 Cisco ASA's

I am on the 18 subnet and can ping all machines on the 18 subnet and the 16.
However I cannot ping externally.
I can get to the web fine - web traffic passes over the  vpn thru a proxy on the 16 subnet
Dns resolves fine but as soon as I try to poing outside - say ping www.bbc.co.uk i get timed out.

Tracert aint helping at all.

On the 16 subnet I can ping all 16 subnet machines. all 18 machines and externally wqith out issue.

Can someone assist with why ping wont bounce back. I had thought of static routes, but the firewall has a static route to the 18 subnet.

Thank you in advance
majic
0
Comment
Question by:Majicthise
  • 2
4 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 38778645
Hi,
you need to explicitely permit icmp protocol on inside interface: for example:

access-list inside_interface permit icmp any any
access-list inside_interface permit ip any any
access-group inside_interface in interface inside

Should already have an access-list applied on inside interface, you just need to add up the following to your access-list:

access-list <your_already_existent_access-list> line 1 permit icmp any any

hope this helps
max
0
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780320
Or on the global policy, make sure inspect icmp is configured.
0
 

Author Comment

by:Majicthise
ID: 38781739
Thanks for the replies
ICMP is set on both devices, and on checking the counters, the rule is being hit.

I'm not sure how you do that Leeee?
Is that the same step the max is talking about?
0
 
LVL 5

Assisted Solution

by:Leeeee
Leeeee earned 500 total points
ID: 38783517
There is a global inspection policy configured by default on the ASA. It's normally towards the bottom of the config. Since ICMP is not stateful, you will need to configure an ACL like max recommended to explicitly allow it, or enable inspection of the protocol in the global inspection policy on the ASA:

Here's a great reference regarding ICMP:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

For your reference, this is how you would configure ICMP inspection:
policy-map global_policy
    class inspection_default
     inspect icmp
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now