Cisco ASA - can't ping/trace icmp to IP in public IP block

IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
snowdog_2112Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tadeystasCommented:
maybe it's stupid question, but do you have a route setup?
0
snowdog_2112Author Commented:
I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
0
tadeystasCommented:
On ASA you can only ping from higher security level to lower security level, not vice versa.
0
snowdog_2112Author Commented:
More info: this is *not* the only outside facing interface, and it's also not the default route.  I *do* have a /28 route on the remote side to this block.

I am trying to ping from an Internet IP *not in my subnet* to several IP's which are in my subnet.

I can ping the ISP gateway, but not the IP on the outside interface, nor any of the other IP's which are part of my block - some of which I have tcp mappings defined (e.g., static (inside,outside) tcp x.y.z.45 3389 192.168.1.45 3389) so I can't add a 1-to-1 - which would theoretically send the ping to the INSIDE host, not the ASA itself.

Do I need a reciprocating route on this side via this non-default interface to the remote network?   Even if that were true, the packet-tracer shows the incoming icmp "drop" due to implicit rule, not that it is receiving the ping on this interface and replying via the default gateway interface.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snowdog_2112Author Commented:
no solution found.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.