ASA ICMP from Outside to Inside| Help!

Hello Guys,

I am confused at theoretical part,I don’t know if I can do what i am intending to do.
I have ASA 55x configured and i’m able to ping from outside to dmz by rules pre defined without problems, however when I tried to the same from outside to inside the asa does not even give a reason, just drop… on packet tracer

Asa# packet-tracer input outside icmp <hidden> 0 0 $
Result:
Action: drop

My question is if it is possible an IP from internet ping from outside to inside directly without passing by DMZ, remembering that when i tried from outside to dmz it worked and also gave me a reason when tested with packet tracer command.

Help me!

Hello Lukas

The behaviour that you are describing is actually done by design. When you configure a DMZ, it is designed to be able to communicate with the “internet at large”, so communication from the OUTSIDE interface towards the DMZ is allowed. Take a look at the Security Zones section of the following lesson:

However, communication from OUTSIDE to INSIDE is not allowed. You can however make an exception to this rule by using an access list, and specifying what kind of traffic you will allow taking place in this direction. More info on how this can be done can be found here:

Now one thing to keep in mind is that if the destination of your ping is the ASA interface itself, then you will get no response to the ping. The ASA is designed not to respond to pings that come from a different subnet. This may be the reason that there is no reason given for the drop. Take a look and let us know…

I hope this has been helpful!

Laz