+ Reply to Thread
Results 1 to 6 of 6
  1. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #1

    Default Ping through ASA

    Having issue ping through ASA. It real equipment using version 9.1 of the software. From the ASA I can ping the PC and router and from both the PC and Router I can ping the ASA. I'm missing something but I can't see it right now. Thanks for the help.

    ciscoasa# sh route
    C 10.0.0.0 255.255.255.0 is directly connected, outside
    C 192.168.1.0 255.255.255.0 is directly connected, Inside
    d* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside

    ciscoasa# ping 192.168.1.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping 10.0.0.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

    ciscoasa# sh arp
    outside 10.0.0.1 xxxx.xxxx.xxxx 11
    Inside 192.168.1.2 xxxx.xxxx.xxxx 2

    ciscoasa# sh int ip brief
    Interface IP-Address OK? Method Status Prot
    ocol
    Ethernet0/0 10.0.0.14 YES DHCP up up
    Ethernet0/1 unassigned YES unset administratively down down
    Ethernet0/2 unassigned YES unset administratively down down
    Ethernet0/3 192.168.1.1 YES manual up up
    Management0/0 unassigned YES unset administratively down down

    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    access-group 101 in interface outside

    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address dhcp setroute



    ASA lab.JPG
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member Registered Member
    Join Date
    Feb 2017
    Posts
    1
    #2
    You need to inspect ICMP in order for your pings to work.
    under global policy in class inspection_default.... inspect icmp and inspect icmp err.
    Reply With Quote Quote  

  4. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #3
    Thank you NetworkDude. I did finally add it to the inspection_default policy but I thought I could just use access-list. Maybe that was good for older version of the software.
    Reply With Quote Quote  

  5. Member
    Join Date
    Jul 2014
    Location
    UK
    Posts
    32

    Certifications
    MTA (OS, Network, HTML5), Comptia (A+, N+), ITIL Foundation 2011, CCENT, CCNA R&S
    #4
    You can just use an access-list to allow ICMP without enabling ICMP inspection in the policy map. However, you are required to add a permit access-list control entry for the *response* traffic (in addition to a an access-list control entry for the *request* traffic)

    By enabling ICMP inspection in the policy map, you are basically telling the ASA to keep track of the connection in its state table and automatically allow the ICMP echo reply through without the need for an ACE for the response straffic.

    On a side note, if you do not add any access lists on the ASA at all and wish to rely on its in-built feature of permitting traffic from a higher security level interface to a lower level security interface, you would still need to enable ICMP inspection in the policy map, otherwise the response traffic will not be allowed through.
    Reply With Quote Quote  

  6. Fireman
    Join Date
    Feb 2009
    Location
    Texas
    Posts
    55

    Certifications
    A+ Network+ CCSA CCSE CCSE+ CCMSE+Provider-1 CCMSE+VSX CCMA
    #5
    another quick tip to turn on icmp is fixup protocol icmp
    Press RETURN to get started

    Reply With Quote Quote  

  7. Member
    Join Date
    Jul 2014
    Location
    UK
    Posts
    32

    Certifications
    MTA (OS, Network, HTML5), Comptia (A+, N+), ITIL Foundation 2011, CCENT, CCNA R&S
    #6
    Quote Originally Posted by BobMead View Post
    another quick tip to turn on icmp is fixup protocol icmp
    Very good tip!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks