KB ID 0000351
Problem
With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.
OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.
Also See:
Cisco ASA 5500 Allowing Tracert
Solution
Cisco ASA and Cisco PIX (version 7 and above) From CLI
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map). Connect to the firewall and use the following commands from config terminal mode. then save the changes with a “write mem” command.
[box]
PetesASA> PetesASA> enable Password:******** PetesASA# conf t PetesASA(config)# policy-map global_policy PetesASA(config)# (config-pmap)#class inspection_default PetesASA(config)#inspect icmp PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#
[/box]
Cisco ASA and Cisco PIX (version 7 and above) From ASDM
Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select “inspection_default” > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.
Cisco PIX (version 6 and below) From CLI
Older firewalls do not have an inspection map, nor was there a “fixup” for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called “inbound”, and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the “show access-group” will tell you what is applied to the outside interface),
e.g.
[box]
PetesASA> PetesASA> enable Password: ******** PetesASA# show access-group access-group inbound in interface outside <<This ones called inbound.
[/box]
If you already have an access-list applied then simply substitute the name word “inbound” for the name on your ACL.
[box]
PetesASA# conf t PetesASA(config)# access-list inbound permit icmp any any echo-reply PetesASA(config)# access-list inbound permit icmp any any time-exceeded PetesASA(config)# access-list inbound permit icmp any any unreachable PetesASA(config)# access-list inbound permit icmp any any source-quench
[/box]
If you HAD an inbound ACL skip this step, If you didn’t have one you need to apply the ACL with an access-group command.
[box]
PetesASA(config)# access-group inbound in interface outside
[/box]
Lastly save your work with a write mem command.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#
[/box]
Cisco PIX (version 6 and below) From PDM
Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select “echo-reply”> OK > Apply > File > Save running configuration to flash.
Then repeat for time-exceeded, unreachable and source-quench
Stop Interfaces replying to Ping traffic
As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the “icmp” command.
[box]
Syntax icmp {permit or deny} {any or IP and subnet}{type of icmp traffic}{interface name} Example icmp deny any echo outside
[/box]
Do the same from ASDM
Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.
Do the same from PDM
Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.
If you are still having problems, see the following article;
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
Related Articles, References, Credits, or External Links
NA