Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

KB ID 0000914 


Firewall Blocking Traffic

Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”.


1. Before we start, lets get the basics out of the way, does the client you are pinging from have a firewall turned on? Can you ping the inside interface of the firewall?

2. Pinging will never work unless you have ICMP inspection turned on on the firewall. See the following article.

Cisco Firewalls and PING

Using Packet-Tracer to Test Ping/ICMP

3. At this point we troubleshoot as we would for any other traffic through the firewall. To do this we use packet-tracer, the syntax is slightly different for ICMP, than it is for TCP and UDP though. We need to specify an ICMP Type and an ICMP code, to make sure the traffic leaves the firewall we trace ICMP type 8 (echo), with ICMP code 0 (none). And ICMP type 0 (Echo-reply), with ICMP code 0 (none), for traffic inbound.

ICMP Types and Codes

Test Outbound Ping

Petes-ASA# packet-tracer input inside icmp 8 0

Testing Inbound Ping (where is the public IP you are mapped to)

Petes-ASA# packet-tracer input outside icmp 0 0

Note: You need to use the public addresses or this will happen.

4. Make sure the client you are on is getting NATTED or PATTED through the firewall. Below we will assume my internal IP address is

Note: If you have names enabled and has a name, you will get no results! issue a no names command from configure terminal mode to check.

Petes-ASA# show xlate | incl

If this machine was being NATTED to another public IP address it would look like..

NAT from inside: to outside:

If this machine was being PATTED to a public IP address it would look like..

ICMP PAT from inside: to outside: flags ri idle 0:00:07 timeout 0:00:30

If it fails at this stage then check you network translation configuration on the firewall.

5. If all appears normal so far you can capture the traffic as it passes though the firewall, below I’m successfully capturing the ICMP traffic though the firewall.

Petes-ASA# configure terminal
Petes-ASA(config)# capture capout interface inside match icmp host any
Petes-ASA(config)# capture capin interface outside match icmp host any

At this point attempt to ping, so some traffic is captured

Petes-ASA(config)# show capture capout

8 packets captured

1: 12:56:51.089244 > icmp: echo request
2: 12:56:51.104410 > icmp: echo reply
3: 12:56:52.092829 > icmp: echo request
4: 12:56:52.108926 > icmp: echo reply
5: 12:56:53.098688 > icmp: echo request
6: 12:56:53.113809 > icmp: echo reply
7: 12:56:54.105463 > icmp: echo request
8: 12:56:54.120263 > icmp: echo reply

Petes-ASA(config)# show capture capin

8 packets captured

1: 12:57:28.170981 > icmp: echo request
2: 12:57:28.185949 > icmp: echo reply
3: 12:57:29.175238 > icmp: echo request
4: 12:57:29.190084 > icmp: echo reply
5: 12:57:30.180212 > icmp: echo request
6: 12:57:30.195500 > icmp: echo reply
7: 12:57:31.186101 > icmp: echo request
8: 12:57:31.201680 > icmp: echo reply
8 packets shown

Note: If your capout capture looks like the following, then you didn’t have inspect icmp enabled on your policy-map.

Petes-ASA(config)# show capture capout

4 packets captured

1: 13:02:33.285309 > icmp: echo request
2: 13:02:37.886596 > icmp: echo request
3: 13:02:42.886672 > icmp: echo request
4: 13:02:47.888198 > icmp: echo request
4 packets shown

How Do I Clear or Delete a Cisco ASA Capture?

To clear a Capture, but leave it running;

Petes-ASA(config)# clear capture capin
Petes-ASA(config)# clear capture capout
Petes-ASA(config)# show capture capin

0 packet captured

0 packet shown
Petes-ASA(config)# show capture capout

0 packet captured

0 packet shown

To Delete a Capture;

Petes-ASA(config)# no capture capout
Petes-ASA(config)# no capture capin 

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING

Cisco ASA 5500 Allowing Tracert


Author: Migrated

Share This Post On