Why PC cannot ping ASA

Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----PC. the ASA can ping PC and DeviceA, but PC cannot ping ASA. When PC ping ASA, we can see message of debug icmp(debug icmp track 255 in the ASA) from the PC. The DeviceA can also ping both ASA and PC. I check the ASA config, which does not any limit to icmp. Capture show the ASA can receive message, but did not send any message to the PC. Anyone can give some suggestion ? Thank you
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lacayoaTeam Leader Systems EngineerCommented:
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
eemoonAuthor Commented:
Thank you so much for your fast reply. I used to do the same thing without any configuration. Maybe something is wrong.

Do you think which one should be used in the following two groups commands
I am using them,  but they are still not working

1
icmp permit any echo inside
icmp permit any echo-reply inside

2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
lacayoaTeam Leader Systems EngineerCommented:
Try with no. 2 and also with the global policy:

! To fix the pings for the trusted interfaces
!  update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
High-tech healthcare

From AI to wearables, telehealth to genomics to 3D printing — healthcare technology is seeing rapid advancement. Experts believe that this technological advancement will save money and save lives. Healthcare is changing dramatically, and emerging technology drives that change.

Learn more
eemoonAuthor Commented:
Thank you for your reply. I added these three lines. But everything is the same as before.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
Jody LemoineNetwork ArchitectCommented:
I believe this was answered in another question, but you need the "permit icmp any echo inside" statement on the ASA to allow hosts to ping its internal interface.
Pete LongTechnical ConsultantCommented:
Unless you specifically denied it in the past it should reply?

By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)

Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.

Pete

Cisco Firewalls and PING

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Thank you all for your reply. Now I already solved it. The DeviceA contains several devices, one of them is Palo. After config it, it can work.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.