Why PC cannot ping ASA

eemoon used Ask the Experts™
Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----PC. the ASA can ping PC and DeviceA, but PC cannot ping ASA. When PC ping ASA, we can see message of debug icmp(debug icmp track 255 in the ASA) from the PC. The DeviceA can also ping both ASA and PC. I check the ASA config, which does not any limit to icmp. Capture show the ASA can receive message, but did not send any message to the PC. Anyone can give some suggestion ? Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
lacayoaTeam Leader Systems Engineer
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.


Thank you so much for your fast reply. I used to do the same thing without any configuration. Maybe something is wrong.

Do you think which one should be used in the following two groups commands
I am using them,  but they are still not working

icmp permit any echo inside
icmp permit any echo-reply inside

access-list icmp extended permit ip any ( is asa inside ip)
access-group icmp in interface inside
lacayoaTeam Leader Systems Engineer
Try with no. 2 and also with the global policy:

! To fix the pings for the trusted interfaces
!  update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Thank you for your reply. I added these three lines. But everything is the same as before.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
Jody LemoineNetwork Architect
I believe this was answered in another question, but you need the "permit icmp any echo inside" statement on the ASA to allow hosts to ping its internal interface.
Technical Consultant
Unless you specifically denied it in the past it should reply?

By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)

Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.


Cisco Firewalls and PING


Thank you all for your reply. Now I already solved it. The DeviceA contains several devices, one of them is Palo. After config it, it can work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial