When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
e.g:
I have following scenario where i am trying to ping from 10.30.1.100 PC to ASA interface 10.20.1.1 not pinging but i can ping 10.20.1.100 so why ASA not allowing to ping distant interfaces?
Solution:
You cannot ping the far interfaces by design. There is nothing you can do to change that behavior, this is done as a security measure by the ASA ( Built-in feature).
The adaptive security appliance only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i1.html#wp1697623
“For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.”
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/trouble.pdf
Network and CyberSecurity Professional 