Solved

Need some help with pinging externally.

Posted on 2013-01-15
4
327 Views
Last Modified: 2013-03-01
I have two sites 192.168.16.x and 192.168.18.x linked by a VPN between 2 Cisco ASA's

I am on the 18 subnet and can ping all machines on the 18 subnet and the 16.
However I cannot ping externally.
I can get to the web fine - web traffic passes over the  vpn thru a proxy on the 16 subnet
Dns resolves fine but as soon as I try to poing outside - say ping www.bbc.co.uk i get timed out.

Tracert aint helping at all.

On the 16 subnet I can ping all 16 subnet machines. all 18 machines and externally wqith out issue.

Can someone assist with why ping wont bounce back. I had thought of static routes, but the firewall has a static route to the 18 subnet.

Thank you in advance
majic
0
Comment
Question by:Majicthise
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 38778645
Hi,
you need to explicitely permit icmp protocol on inside interface: for example:

access-list inside_interface permit icmp any any
access-list inside_interface permit ip any any
access-group inside_interface in interface inside

Should already have an access-list applied on inside interface, you just need to add up the following to your access-list:

access-list <your_already_existent_access-list> line 1 permit icmp any any

hope this helps
max
0
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780320
Or on the global policy, make sure inspect icmp is configured.
0
 

Author Comment

by:Majicthise
ID: 38781739
Thanks for the replies
ICMP is set on both devices, and on checking the counters, the rule is being hit.

I'm not sure how you do that Leeee?
Is that the same step the max is talking about?
0
 
LVL 5

Assisted Solution

by:Leeeee
Leeeee earned 500 total points
ID: 38783517
There is a global inspection policy configured by default on the ASA. It's normally towards the bottom of the config. Since ICMP is not stateful, you will need to configure an ACL like max recommended to explicitly allow it, or enable inspection of the protocol in the global inspection policy on the ASA:

Here's a great reference regarding ICMP:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

For your reference, this is how you would configure ICMP inspection:
policy-map global_policy
    class inspection_default
     inspect icmp
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question