- Newest
- Most votes
- Most comments
If you can ping from the EC2 instance to the Cisco firewall but not the other way around, it suggests a one-way traffic issue. Here are some (other) AWS-side settings to check:
Route Tables: Check the route tables in your VPC to ensure there is a route that allows traffic to and from the Cisco firewall.
Internet Gateway/NAT Gateway: Ensure that if the EC2 instance is in a private subnet, it has a route out to the internet via a NAT gateway or NAT instance, and that the gateway is correctly configured.
Firewall Logs: Check the logs for your Cisco firewall to determine if the traffic is being sent out and if any rules might be blocking the outbound pings.
Need little more info.. Are you trying to ping the private or the public IP address of the EC2? How are you trying to access the EC2 from on-prem, via the internet, Site-to-Site VPN, or Direct Connect?
Have you allowed ICMP traffic in the security group? You can also enable VPC flow logs to see if the traffic is reaching the EC2 from on-prem. If the EC2 is a Windows machine, make sure the OS firewall (Windows Firewall) is allowing ICMP.
If your EC2 is in a private subnet then you can’t ping it.
If it’s in a public subnet with a public IP then you should be able ping it so long as NACLs and Security group allows ICMP and return packets.
Please clarify where your Cisco FW is. Public or Private connection?
As suggested above, need more information on network connectivity between FW and EC2.
Ping from EC2 to FW works, validate the EC2 IP in FW logs to make sure traffic is coming from expected IP.
Here are few things for step by step troubleshooting:
- Check if ICMP is allowed outbound on the FW and right public IP is used as a source IP for traffic generated by the FW (Often times NAT is used to translate IPs behind the FW and not of the FW)
- If the FW is connected to Internet router, validate bogon ACL for ICMP
- If the EC2 is behind NAT GW, any traffic initiated towards EC2 will not be reachable
- If EC2 is behind NAT instance or FW and many to one NAT is used for outbound traffic, EC2 will not be reachable from outside
- If there is a network FW in your VPC and it is in the path, check inbound FW rules and NAT rules
- If EC2 has EIP or PIP, check NACL and SG (you can also validate using VPC Flow logs)
- Depending on OS, check Windows FW or IP table
- Tools like wireshark or tcpdump can be used to validate if the traffic is reaching EC2
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
You wouldn’t get one way ping if there was a routing issue. It’s all or nothing.ICMP also requires a return path. If you get a ping response then routing is correct.