WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!
Why PC cannot ping ASA
Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----P
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Thank you so much for your fast reply. I used to do the same thing without any configuration. Maybe something is wrong.
Do you think which one should be used in the following two groups commands
I am using them, but they are still not working
1
icmp permit any echo inside
icmp permit any echo-reply inside
2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
Do you think which one should be used in the following two groups commands
I am using them, but they are still not working
1
icmp permit any echo inside
icmp permit any echo-reply inside
2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
Try with no. 2 and also with the global policy:
! To fix the pings for the trusted interfaces
! update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
! To fix the pings for the trusted interfaces
! update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
Thank you for your reply. I added these three lines. But everything is the same as before.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
I believe this was answered in another question, but you need the "permit icmp any echo inside" statement on the ASA to allow hosts to ping its internal interface.
Unless you specifically denied it in the past it should reply?
By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)
Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.
Pete
Cisco Firewalls and PING
By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)
Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.
Pete
Cisco Firewalls and PING
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Thank you all for your reply. Now I already solved it. The DeviceA contains several devices, one of them is Palo. After config it, it can work.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.