Solved

Need some help with pinging externally.

Posted on 2013-01-15
4
328 Views
Last Modified: 2013-03-01
I have two sites 192.168.16.x and 192.168.18.x linked by a VPN between 2 Cisco ASA's

I am on the 18 subnet and can ping all machines on the 18 subnet and the 16.
However I cannot ping externally.
I can get to the web fine - web traffic passes over the  vpn thru a proxy on the 16 subnet
Dns resolves fine but as soon as I try to poing outside - say ping www.bbc.co.uk i get timed out.

Tracert aint helping at all.

On the 16 subnet I can ping all 16 subnet machines. all 18 machines and externally wqith out issue.

Can someone assist with why ping wont bounce back. I had thought of static routes, but the firewall has a static route to the 18 subnet.

Thank you in advance
majic
0
Comment
Question by:Majicthise
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 38778645
Hi,
you need to explicitely permit icmp protocol on inside interface: for example:

access-list inside_interface permit icmp any any
access-list inside_interface permit ip any any
access-group inside_interface in interface inside

Should already have an access-list applied on inside interface, you just need to add up the following to your access-list:

access-list <your_already_existent_access-list> line 1 permit icmp any any

hope this helps
max
0
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780320
Or on the global policy, make sure inspect icmp is configured.
0
 

Author Comment

by:Majicthise
ID: 38781739
Thanks for the replies
ICMP is set on both devices, and on checking the counters, the rule is being hit.

I'm not sure how you do that Leeee?
Is that the same step the max is talking about?
0
 
LVL 5

Assisted Solution

by:Leeeee
Leeeee earned 500 total points
ID: 38783517
There is a global inspection policy configured by default on the ASA. It's normally towards the bottom of the config. Since ICMP is not stateful, you will need to configure an ACL like max recommended to explicitly allow it, or enable inspection of the protocol in the global inspection policy on the ASA:

Here's a great reference regarding ICMP:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

For your reference, this is how you would configure ICMP inspection:
policy-map global_policy
    class inspection_default
     inspect icmp
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question