Why PC cannot ping ASA

eemoon
eemoon used Ask the Experts™
on
Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----PC. the ASA can ping PC and DeviceA, but PC cannot ping ASA. When PC ping ASA, we can see message of debug icmp(debug icmp track 255 in the ASA) from the PC. The DeviceA can also ping both ASA and PC. I check the ASA config, which does not any limit to icmp. Capture show the ASA can receive message, but did not send any message to the PC. Anyone can give some suggestion ? Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
lacayoaTeam Leader Systems Engineer
Commented:
icmp should be disabled by default on the inside interface.

you'll need to explicitly permit it (and also all IP) and apply the access-group to the inside interface.

Author

Commented:
Thank you so much for your fast reply. I used to do the same thing without any configuration. Maybe something is wrong.

Do you think which one should be used in the following two groups commands
I am using them,  but they are still not working

1
icmp permit any echo inside
icmp permit any echo-reply inside

2
access-list icmp extended permit ip any 172.33.1.0 255.255.255.0 (172.33.1.3 255.255.255.248 is asa inside ip)
access-group icmp in interface inside
lacayoaTeam Leader Systems Engineer
Commented:
Try with no. 2 and also with the global policy:

! To fix the pings for the trusted interfaces
!  update the default global policy map
policy-map global_policy
class inspection_default
inspect icmp
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thank you for your reply. I added these three lines. But everything is the same as before.
If traffic goes from high security level to low level and then come back, we need the inspect. In the present case, the traffic just reach inside interface, i do not think we need it.
Jody LemoineNetwork Architect
Commented:
I believe this was answered in another question, but you need the "permit icmp any echo inside" statement on the ASA to allow hosts to ping its internal interface.
Technical Consultant
Commented:
Unless you specifically denied it in the past it should reply?

By default you can ping any interface you are directly connected to - thats why the internet can ping your outside IP address :)

Can the switch directly connected to the ASA ping it? if not then you will have denied icmp echo and the command above will work.

Pete

Cisco Firewalls and PING

Author

Commented:
Thank you all for your reply. Now I already solved it. The DeviceA contains several devices, one of them is Palo. After config it, it can work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial