Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Why PC cannot ping ASA
Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----P
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
icmp should be disabled by default on the inside interface.
you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.
Thank you so much for your fast reply. I used to do the same thing without any configuration. Maybe something is wrong.
Do you think which one should be used in the following two groups commands
I am using them, but they are still not working
1
icmp permit any echo inside
icmp permit any echo-reply inside
2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
Do you think which one should be used in the following two groups commands
I am using them, but they are still not working
1
icmp permit any echo inside
icmp permit any echo-reply inside
2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
Try with no. 2 and also with the global policy:
! To fix the pings for the trusted interfaces
! update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
! To fix the pings for the trusted interfaces
! update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
Thank you for your reply. I added these three lines. But everything is the same as before.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
I believe this was answered in another question, but you need the "permit icmp any echo inside" statement on the ASA to allow hosts to ping its internal interface.
Unless you specifically denied it in the past it should reply?
By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)
Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.
Pete
Cisco Firewalls and PING
By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)
Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.
Pete
Cisco Firewalls and PING
Premium Content
You need an Expert Office subscription to comment.Start Free Trial