Cisco ASA 5505, Ping an External IP address from inside the Network

I have just installed a new Cisco ASA 5505, I previously had a Juniper installed.

The problem I have is that I am unable to ping my external IP addresses from inside my network.
I have a bunch of static IP addresses from my ISP. These are used for servers inside my network. lets say 50.130.90.100, 50.130.90.131 and so on. When I had the juniper as my firewall I was able to ping these from inside my private network 192.168.2.x

I am wondering how to configure the Cisco 5505 so that when I am inside the private network I can still ping my external IP's. I have a service running that requires a connection the external IP but users need to be able to log on from inside the network as well as outside.

THanks
carlocAsked:
Who is Participating?
 
pgolding00Connect With a Mentor Commented:
by design it was not possible in the past to ping any interface other than the one closest to the client. with icmp inspect (see Pete Long above) more is now possible, so it will depend on the version of code running.

with 1 to 1 host address translation for these servers and with names registered in dns for each, and if dns passes through the asa, pinging by name from the inside will work, but only if the dns query and reply pass through the asa, and dns inspect is configured. this works because the asa sees the dns response and looks up its address translation table. if it finds a match, then it substitutes the inside address into the dns response. so the ping ends up being to the inside address, if the source is on the inside.

if this is not the situation, the comments above are more relevant. nat (inside,inside) might be needed also - again, depends on the version.
0
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
Add inspect ICMP to the default inspection map, see my site here,

Cisco Firewalls and PING


Pete
0
 
fgasimzadeCommented:
Try adding

same-security-traffic permit intra-interface
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Feroz AhmedSenior Network EngineerCommented:
Hi,

To ping from Inside to Outside and Outside to Inside Network,your configuration should be as follows once you have configured inside and Outside Interfaces.

ASA(Config)#access-list 101 permit icmp any any echo-reply
ASA(Config)#access-group in interface outside (This configuration for access from Inside network to outside network)
ASA(Config)#access-list 101 permit icmp any any  (this is for access from outside to Inside network)
ASA(Config)#policy-map global_policy
ASA(Config)#class inspection_default
ASA(Config)#Inspect icmp  (this configuration to Inspect ICMP request from inside to outside and outside to Inside).
0
 
carlocAuthor Commented:
Hi,
I have eventually got this issue to work with NAT Hairpin. Then I created new NAT rules to allow the an internal ping to resolve to the outside IP address.

I am not sure if this is one of the solutions mentioned above as my firewall skills are limited.

If it is please let me know and I will award you the points.

Thanks for your help guys.
0
 
pgolding00Commented:
i think Pete Long's and my comments cover the resolution you used. anyone disagree?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.