Solved

Need some help with pinging externally.

Posted on 2013-01-15
4
324 Views
Last Modified: 2013-03-01
I have two sites 192.168.16.x and 192.168.18.x linked by a VPN between 2 Cisco ASA's

I am on the 18 subnet and can ping all machines on the 18 subnet and the 16.
However I cannot ping externally.
I can get to the web fine - web traffic passes over the  vpn thru a proxy on the 16 subnet
Dns resolves fine but as soon as I try to poing outside - say ping www.bbc.co.uk i get timed out.

Tracert aint helping at all.

On the 16 subnet I can ping all 16 subnet machines. all 18 machines and externally wqith out issue.

Can someone assist with why ping wont bounce back. I had thought of static routes, but the firewall has a static route to the 18 subnet.

Thank you in advance
majic
0
Comment
Question by:Majicthise
  • 2
4 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 38778645
Hi,
you need to explicitely permit icmp protocol on inside interface: for example:

access-list inside_interface permit icmp any any
access-list inside_interface permit ip any any
access-group inside_interface in interface inside

Should already have an access-list applied on inside interface, you just need to add up the following to your access-list:

access-list <your_already_existent_access-list> line 1 permit icmp any any

hope this helps
max
0
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780320
Or on the global policy, make sure inspect icmp is configured.
0
 

Author Comment

by:Majicthise
ID: 38781739
Thanks for the replies
ICMP is set on both devices, and on checking the counters, the rule is being hit.

I'm not sure how you do that Leeee?
Is that the same step the max is talking about?
0
 
LVL 5

Assisted Solution

by:Leeeee
Leeeee earned 500 total points
ID: 38783517
There is a global inspection policy configured by default on the ASA. It's normally towards the bottom of the config. Since ICMP is not stateful, you will need to configure an ACL like max recommended to explicitly allow it, or enable inspection of the protocol in the global inspection policy on the ASA:

Here's a great reference regarding ICMP:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

For your reference, this is how you would configure ICMP inspection:
policy-map global_policy
    class inspection_default
     inspect icmp
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question