https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133851#M1113654 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1556185">@fmugambi</a> you can enable ICMP inspection to allow ping responses, use the CLI command <STRONG>fixup protocol icmp</STRONG></P> <P>This will amend the class map as below</P> <PRE>class inspection_default<BR /><STRONG> inspect icmp<BR /></STRONG></PRE> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Jun 2024 06:26:40 GMT Rob Ingram 2024-06-20T06:26:40Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133849#M1113653 <P>Hello Team,</P><P>I have a cisco asa firewall connected to ISP. I have allowed internet access of downstream devices on the asa.</P><P>I have a case where, servers downstream are able to browse internet, but not able to ping for example 8.8.8.8.</P><P>is there an acl restriction anywhere? is there an extra command i need for ping replies to be successful. this is useful for troubleshooting.</P><P>Thank you.</P> Thu, 20 Jun 2024 06:08:04 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133849#M1113653 fmugambi 2024-06-20T06:08:04Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133851#M1113654 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1556185">@fmugambi</a> you can enable ICMP inspection to allow ping responses, use the CLI command <STRONG>fixup protocol icmp</STRONG></P> <P>This will amend the class map as below</P> <PRE>class inspection_default<BR /><STRONG> inspect icmp<BR /></STRONG></PRE> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Jun 2024 06:26:40 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133851#M1113654 Rob Ingram 2024-06-20T06:26:40Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133868#M1113655 <P><SPAN>My always first step&nbsp; command&nbsp;</SPAN></P> <P><SPAN>config t</SPAN></P> <P>fixup protocol icmp</P> <P>end</P> <P>&nbsp;</P> Thu, 20 Jun 2024 07:03:38 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133868#M1113655 balaji.bandi 2024-06-20T07:03:38Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133998#M1113660 <P>on that note, is there a specific cli command to just check acls with hit counts only?</P> Thu, 20 Jun 2024 11:21:31 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5133998#M1113660 fmugambi 2024-06-20T11:21:31Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134021#M1113661 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1556185">@fmugambi</a>&nbsp;</P> <P>ASA# <STRONG>show access-list | exclude hitcnt=0</STRONG></P> Thu, 20 Jun 2024 11:35:43 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134021#M1113661 Rob Ingram 2024-06-20T11:35:43Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134027#M1113662 <P>if i have multiple, say dm_access_in, outside_access_in, inside_access_out, how do i filter to specifics?</P> Thu, 20 Jun 2024 11:50:11 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134027#M1113662 fmugambi 2024-06-20T11:50:11Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134033#M1113663 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1556185">@fmugambi</a> you just add the name of the ACL, i.e.,</P> <P>show access-list <STRONG>dm_access_in</STRONG> | exclude hitcnt=0<BR />show access-list <STRONG>outside_access_in</STRONG> | exclude hitcnt=0<BR />show access-list <STRONG>inside_access_out</STRONG> | exclude hitcnt=0</P> Thu, 20 Jun 2024 12:01:37 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134033#M1113663 Rob Ingram 2024-06-20T12:01:37Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134041#M1113664 <P>thanks, helpful.</P><P>what if say in dm_inside_access_out, i have multiple vlans, 172.16.10.0/24,.20/24,.30.24.</P><P>is it possible to drill to specific vlan and get hitcount per vlan based?</P> Thu, 20 Jun 2024 12:10:06 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134041#M1113664 fmugambi 2024-06-20T12:10:06Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134096#M1113668 <P>the ASA ACL is apply to L3 interface which have nameif and VLAN,&nbsp;<BR />show run | in &lt;nameif&gt;<BR />then you will see&nbsp;</P> <P>access-group with nameif&nbsp;<BR />last&nbsp;<BR />do<BR />show access-list &lt;name of access-group appear&gt; | include hitcnt&nbsp;<BR /><BR />this way you can see access list hitcnt for each vlan&nbsp;</P> <P>MHM</P> Thu, 20 Jun 2024 14:03:00 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/5134096#M1113668 MHM Cisco World 2024-06-20T14:03:00Z