https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894993#M1103054 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/460403">@bwn</a>&nbsp;</P> <P>&nbsp;If you can keep the same security level, use the command</P> <P><SPAN> <EM>same</EM>-<EM>security</EM>-<EM>traffic permit inter</EM>-<EM>interface</EM></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FlavioMiranda_0-1690559037906.png" style="width: 798px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/192928i05A9DB72905BE780/image-dimensions/798x596?v=v2" width="798" height="596" role="button" title="FlavioMiranda_0-1690559037906.png" alt="FlavioMiranda_0-1690559037906.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Jul 2023 15:44:11 GMT Flavio Miranda 2023-07-28T15:44:11Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894989#M1103053 <P>We have an ASA5506 and I'm trying to have an IP address that is accessible on the outside interface be accessible on the inside interface. I can ping the address if I select outside interface but there is no response when trying to ping from the inside interface. I'm using the ASDM tool as I don't spend a lot of time managing routers. I tried changing the security level of the outside interface to 100 to match the inside interface as I thought traffic may be allowed if the same security level but that didn't seem to make a difference.&nbsp;</P> Fri, 28 Jul 2023 15:37:15 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894989#M1103053 bwn 2023-07-28T15:37:15Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894993#M1103054 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/460403">@bwn</a>&nbsp;</P> <P>&nbsp;If you can keep the same security level, use the command</P> <P><SPAN> <EM>same</EM>-<EM>security</EM>-<EM>traffic permit inter</EM>-<EM>interface</EM></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FlavioMiranda_0-1690559037906.png" style="width: 798px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/192928i05A9DB72905BE780/image-dimensions/798x596?v=v2" width="798" height="596" role="button" title="FlavioMiranda_0-1690559037906.png" alt="FlavioMiranda_0-1690559037906.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Jul 2023 15:44:11 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894993#M1103054 Flavio Miranda 2023-07-28T15:44:11Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894998#M1103055 <P>1- icmp inspection&nbsp;</P> <P>2-allow icmp via inside acl if found&nbsp;</P> <P>3- route OUT 0.0.0.0 0.0.0.0 must add to asa&nbsp;</P> Fri, 28 Jul 2023 15:45:07 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4894998#M1103055 MHM Cisco World 2023-07-28T15:45:07Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895005#M1103056 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-07-28_11-54-01.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/192929iBA4C21AA17173AA2/image-size/large?v=v2&amp;px=999" role="button" title="2023-07-28_11-54-01.jpg" alt="2023-07-28_11-54-01.jpg" /></span>I have done that as you can see in the screenshot attached. I've also set the security level the same. If I do a tracert from the outside interface it works fine but when I change to the inside_1 interface it hangs.&nbsp;</P> Fri, 28 Jul 2023 15:56:54 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895005#M1103056 bwn 2023-07-28T15:56:54Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895042#M1103057 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/460403">@bwn</a> for ICMP you either need to explictly permit ICMP echo-reply inbound on the outside interface ACL or as <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> mentioned enable ICMP inspection. Enable ICMP inspection using the CLI command <STRONG>fixup protocol icmp</STRONG></P> <P>To allow traceroute from inside to outside then you need to permit icmp time-exceeded and unreachable inbound on the outsisde interface ACL. Example <A href="https://integratingit.wordpress.com/2018/12/15/allow-icmp-traceroute-through-cisco-asa/" target="_blank">https://integratingit.wordpress.com/2018/12/15/allow-icmp-traceroute-through-cisco-asa/</A></P> <P>Also change the security level of the outside interface to 0, traffic from a low security level to a high level is denied as default (which is what you want on the outside interface).</P> Fri, 28 Jul 2023 17:09:40 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895042#M1103057 Rob Ingram 2023-07-28T17:09:40Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895150#M1103059 <P>I've changed the outside security back to 0. Is this where I should be permitting the ICMP echo reply? Is there anywhere I need to add anything?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2023-07-28_16-32-59.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/192957i33C75D846895C1FA/image-size/large?v=v2&amp;px=999" role="button" title="2023-07-28_16-32-59.jpg" alt="2023-07-28_16-32-59.jpg" /></span></P> Fri, 28 Jul 2023 20:35:01 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895150#M1103059 bwn 2023-07-28T20:35:01Z https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895155#M1103061 <PRE>asa# packet-tracer input inside icmp x.x.x.x 8 0 y.y.y.y detail </PRE> <P>x.x.x.x is inside subnet&nbsp;</P> Fri, 28 Jul 2023 21:04:42 GMT https://community.cisco.com/t5/network-security/asa5506-access-question/m-p/4895155#M1103061 MHM Cisco World 2023-07-28T21:04:42Z