Cisco ASA5505 can't ping external interface and odd rules

Posted on 2013-06-26
Last Modified: 2013-08-20
Access RulesNAT RulesWe have an ASA5505 with ASA version 8.3(1) and ASDM version 6.4(5)

For the life of me just can't get it to respond to pings from the outside. We use this to monitor uptime and we need to get it working ASAP.

The syslog continually reports:
Denied ICMP type=8, code=0 from ip_of_our_monitoring_service on interface ATT

We have created an Access Rule to Permit ICMP echo to the ATT interface, but still can't ping it. Also, we have 2 global rules (one which is not enabled) and 3 really odd NAT Rules (the last 3)  which were not created by me and I'm not really sure why they are there. However, disabling the Global Permit rule immediately breaks the Internet.

Can you guys suggest how to 1) allow pinging of the ATT (external) interface from the outside and 2) Configure the device with the minimum amount of required rules

I should clarify this is a super simple setup. Office with a little over a dozen users, Windows PDC server, remote desktop to the server and a couple of other machines for remote administration purposes, plus uptime monitoring with Nagios (those are the ports 12489 and 5666.) As far as routing, the device is not doing anything you couldn't achieve with a cheapo Linksys router.

Attached are images of the main config areas. I entered the IPs of a couple of objects in red just to clarify what those are.

Question by:omniumnetworking
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 28

Accepted Solution

Jan Springer earned 500 total points
ID: 39279626
Add a rule on the acl for the outside interface

permit icmp any any

Author Comment

ID: 39279689
Ahh, well I found the pinging problem. In Device Management>Management Access>ICMP> there was a rule: ATT, permit,,, echo-reply

I changed "echo-reply" to "echo" and now I can ping the interface. I'm still concerned about all those other rules. Should they exist there?
LVL 28

Expert Comment

by:Jan Springer
ID: 39279720
I don't work with ASDM and don't know what the "global" section applies to but the other rules look explicit.  Without seeing the access-lists and access-group statements, I can't confirm 100% but it doesn't seem properly restricted.
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.


Author Comment

ID: 39280021
Here are access-list and access-group:
access-list ATT_access_in extended permit tcp any interface ATT object-group Rackspace
access-list ATT_access_in extended permit udp any interface ATT eq ntp
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group TripRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group MarcRDP
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT object-group CordDP
access-list ATT_access_in extended permit object-group SNMP any interface ATT
access-list ATT_access_in extended permit object-group Camera any interface ATT
access-list ATT_access_in extended permit object-group TCPUDP any interface ATT eq www
access-list ATT_access_in extended permit tcp any interface ATT eq https
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in remark Trip RDP
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object xxxpdc1 eq 99990
access-list ATT_access_in_1 extended permit object-group NAGIOS object omni object xxxpdc1
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object TripW eq 99991
access-list ATT_access_in_1 extended permit object-group TCPUDP any eq 3389 object Marcella eq 99992
access-list global_access extended permit ip any any
access-group ATT_access_in_1 in interface ATT
access-group global_access global

Thanks for your help!
LVL 25

Expert Comment

ID: 39281199
I just wanted to pipe in on the global ACL.  Personally I don't like it but I can see its uses.  Global applies to inbound on ALL interfaces.  It also changes default behavior.

Default behavior with no ACLs defined
traffic from higher security interface to lower is allowed
lower to higher is denied

behavior with ACLs on interfaces (no global defined yet)  these are interface ACLs
looks at entries in ACL only
If no matches are found, it uses an implicit deny

behavior with global ACL and no interface ACL
looks at entries in ACL only
has implicit deny at end if no match found

behavior with interface and global ACLs
check entries in interface ACL first
if no match check global ACL
if no match implicit deny

The reason I don't like the global ACL is because lets say you don't apply an ACL to the inside interface, you believe that since it has a security-level of 100 that it will by default allow all traffic.  However you configured a single rule in the global ACL to ensure ICMP is allowed in on all interfaces.  Guess what you just overroad the default behavior on the inside interface and only ICMP traffic is now allowed regardless of the security level you have configured.  With that said, it is nice if you have ACLs on all interfaces and you have certain rules you want to apply to all interfaces.  Cuts down on duplicate configuration.
LVL 25

Expert Comment

ID: 39281213
so in your case, you are allowing all traffic (ip any any permit) on all interfaces (at least thru the ASA) pretty much removing most of the reason to run a firewall because of how your global ACL is configured.

no access-list global_access extended permit ip any any
no access-group global_access global

but get rid of the global rule you're defining.  It opens your ASA way too much.
LVL 17

Expert Comment

ID: 39285618
I would not run the commands Cyclops has mention right away.  Though I agree that the permit ip any any in the global should not be there, but I suspect that it was put there by someone who did not know how to correctly configure the ASA and needed to get things working.

Before removing those commands you would need to analyze the traffic and identify what ports need to be opened.  Once that is done, you can go ahead and remove those commands.
LVL 25

Expert Comment

ID: 39296642
MAG03 raises a very good point.  Sorry, I guess I just assumed all necessary permits where on the interface ACL.  Definitely analyze the traffic first before starting to deny traffic to ensure no needed traffic gets denied.  

Personally what I would do is setup a Splunk instance on a server and configure the ASA to forward syslog to it.  Then I would change the ip any any permit on the global to log as well.  This will create a lot of traffic.  potentially more than a free license of splunk will allow.  If this is the case, let it collect data for about a week then turn off logging.  When you try to log too much it will still index but not allow you to search until you are indexing below your "free" daily limit; thus why shutting it off is good.  I say splunk because I've found it to be the best syslog tool for searching logs easily.  you should be able to more easily pick out what traffic is moving thru your ASA and see if you want to allow it or not.  If you do, create an ACL entry on an ACL applied to an interface.  Once done, then remove the global permit ip any any

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco To Cisco Trunk not working 2 44
AS-Path BGP Attribute 7 43
Wireless router under network , where it from connected to my windows ? 10 63
Routing Issue 26 67
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question