• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 894
  • Last Modified:

Cisco ASA 5510

Hi -

I'm running ASA 9.1(4) ASDM 7.1(5)100 and I'm looking to allow pings from trusted.panorama9.com to my external interfaces.

Also, I have an MPLS network and my other sites cannot ping the Cisco ASA's at other locations.  How do I allow access to login and ping?

ex. network a - cant get to the ASA on network b -
  • 3
  • 2
1 Solution
The first thing you need to do to allow pings to be allowed from "trusted.panorama9.com" is to modify the ACL that is tied to your external interface. Follow the steps below to accomplish this.

1. Login to the ASA
2. Click on the "Configuration" tab located at the top of ASDM
3. Click on "Firewall" located on the left hand side of the screen
4. Ensure that "Access Rules" is highlighted towards the top left hand side of your screen.
5. In the middle of your screen highlight the "Outside" interface
6. Click on the "Add" button towards the top of your screen.
7. This will open a new window. You will want to configure the settings below.
8. In the Interface drop down menu select "Outside"
9. In Action select "Permit"
10. In the Source: drop down menu you can do 1 of 2 things. You can select "Any" which will allow any IP address to ping the external IP address. Or you can select "trusted.panorama9.com" to allow only this IP address to ping your external IP address. I am going to assume you only want to allow this website/IP address to ping your external Interface on the ASA so follow the steps below. If you do not care and want to allow "Any"then skip to step 21.
11. Click on the button "...." next to Source
12. Click on the "Add" button and select "Network Object Group"
13. In the Group Name field type in the name and description of your choice.
14. Towards the lower left hand part of your screen select the bubble for "Create New Network Object Member"
15. In the name type in a name of your choice
16. In the "Type" drop down menu select "Host"
17. In IP Version select "IPv4"
18. In the IP Address field type in the following IP addresses. Since this website resolves to several different IP addresses you will need to repeat steps 15-19 to complete this task:
19. Click on the "Add" button
20. Click "OK"
21. In the "Destination" field click on the button "...."
22. Scroll down and double click "Outside" found underneath Interfaces
23. Click "OK"
24. In the "Service" field click on the button "....."
25. Double click on "icmp"
26. Click "OK"
27. Click "OK"
28. Click on "Apply" to apply the configuration to your ASA
29. Test out the configuration to ensure this website is able to ping your ASA's external IP address.
The second issue is that the other sites are unable to connect to the ASA to login. There are a couple of things off the top of my head that could be causing this issue. One is a routing issue and second this could be a configuration issue where only certain IP addresses are allowed to connect to the ASA for management. See below.

Check for a routing issue.

1. Login to the ASA via ASDM
2. Click on "Configuration" located at the top of the screen.
3. Click on "Routing"
4. Click on "Static Routes" (assuming you do NOT have a dynamic routing protocol configured.
5. You will want to try to find an entry for IP Address - "" with subnet mask "" If you do not have an entry for this then that would be a good reason why your network is not able to communicate with the ASA, since it would not have a route back to this network.
6. If you do not have a route for this then you will need to create one. To create one follow the steps below.
7. Click on "Add"
8. In "IP Address Type:" select IPv4
9. In "Interface" select "Inside"
10. In "Network" click on the "...." button. This will open a new window
11. Click on the "Add" button
12. Type in a name of your choice
13. In "Type" change this to "Network"
14. In IP Address type in ""
15. In Netmask type in ""
16. Click "OK"
17. In Gateway IP Click on the "..." button
18. Click on the "Add" button
19. Type in a name of your choice
20. In "Type" leave this set as "Host"
21. In IP Address type in the IP address of the next hop towards this network.
22. In Netmask type in ""
23. Leave FQDN blank.
24. Type in a description of your choice
25. Click "OK"
26. Click "OK"
27. Click "OK"
28. Click "Apply" to apply your changes.
29. Test

Next you will want to check that the ASA allows other subnets to configure the ASA. Follow the steps below.

1. Login to the ASA via ASDM
2. Click on "Configuration"
3. Click on "Device Management"
4. Click on "Management Access"
5. Click on "ASDM/HTTPS/Telnet/SSH"
6. Locate the entry for "ASDM/HTTPS"  for the "Inside" Interface and make note of the "IP Address" and "Mask/Prefix Length" column
7. Depending on how this is setup you will need to either create a new entry or modify the existing entry to allow the subnets you want to be able to connect to ASDM.

A lot of this depends on your network topology and how things are setup. If you have any questions along the way feel free to ask. If possible attach a diagram of your network topology so I can get a better understanding of how things are setup if you need further assistance.
emeka57Author Commented:
Is there any way to allow pings from trusted.panorama9.com rather than the specific IP addresses?  This would be helpful in case some IP addresses change.

Also, will ping work if the interface isn't the active/primary interface?  Is there a way to use both interface as primary?
Yes this does appear to be possible. Follow the steps below:

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Firewall"
4. Click on "Objects"
5. Click on "Network Objects/Groups"
6. Click on the "Add" button then click on "Address Object"
7. Type in the name of your choice
8. In the type drop down menu select "FQDN"
9. In FQDN type in "trusted.panorama9.com"
10. Type in the description of your choice.
11. Click "OK"
12. Click "Apply"

Next you need to update your ACL to use this new object.

1. Login to ASA via ASDM
2. Click on "Configuration"
3. Click on "Access Rules"
4. Find your Outside ACL and click on the "Edit" button
5. Change the source to reflect the address object you created in the steps above.
6. Apply the configuration and Save it
7. Test

I'm not sure I understand your question about the active/primary interface as well as using both interfaces as primary. Can you describe your setup so I can get a better understanding? Do you have two outside interfaces connected to two separate IP Addresses? Are you trying to load balance over them or something along those lines?
emeka57Author Commented:

I have 2 ISPs connected to the ASA.  The primary (which is pingable when it's active) and the second (unpingable when inactive).  Is there a way to make the secondary pingable when it's inactive?

Alternatively, how do I make both active?  This will also be helpful in the event that one circuit fails.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now