topic Re: Allowing Ping in Network Security https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907960#M24890 Yes.<BR /><BR />access-group OUTSIDE_IN in interface Outside Wed, 14 Aug 2019 09:36:55 GMT Rob Ingram 2019-08-14T09:36:55Z Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907907#M24880 <P>Hello,</P><P>I have a Cisco ASA Firewall 5516-x Firepower with ASA-Image 9-12-2.</P><P>The Device is complet new and i want to allowing ping from outside to Inside and from Inside to Outside.</P><P>can you help me?</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P> Wed, 14 Aug 2019 07:38:34 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907907#M24880 AliRezaMirzaei0031 2019-08-14T07:38:34Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907910#M24884 <P>You can have accessl-list like below in to out and out in for ICMP to allow.</P> <P>&nbsp;</P> <P><STRONG>access-list acl-in-out extended permit icmp any any echo-reply</STRONG></P> <P><STRONG>access-list acl-in-out extended permit icmp any any time-exceeded</STRONG></P> Wed, 14 Aug 2019 07:45:08 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907910#M24884 balaji.bandi 2019-08-14T07:45:08Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907911#M24885 Hi,<BR />Use the command "fixup protocol icmp" to enable inspection for icmp, this will allow icmp requests from inside to outside to be permitted. If you want to ping from the outside to inside, it depends, you would probably need to create a static NAT and then permit the traffic on the inbound ACL on the outside interface.<BR /><BR />HTH Wed, 14 Aug 2019 07:45:13 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907911#M24885 Rob Ingram 2019-08-14T07:45:13Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907928#M24886 <P>perfect,</P><P>and can you write please the commands for NAT and ACL.</P><P>i want to all ip from outside can ping all ip to inside .</P><P>thanks</P> Wed, 14 Aug 2019 08:19:18 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907928#M24886 AliRezaMirzaei0031 2019-08-14T08:19:18Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907943#M24887 <P>Hi,</P> <P>Here is an example of static NAT, you'll need 1 static NAT entry for each device if you want to ping inbound from the outside. You wouldn't normally do that, unless it was for DMZ hosted services.</P> <P>&nbsp;</P> <PRE>object network SWI-1<BR /> host 10.10.0.1<BR /> nat (INSIDE,OUTSIDE) static 1.1.1.111<BR /><BR />object network SWI-2<BR /> host 10.10.1.1<BR /> nat (INSIDE,OUTSIDE) static 1.1.1.112<BR /><BR />access-list OUTSIDE_IN extended permit icmp any object SWI-1 echo<BR />access-list OUTSIDE_IN extended permit icmp any object SWI-2 echo</PRE> <P>If you were just pinging from in inside to outside you would only need 1 dynamic nat rule.</P> <P>&nbsp;</P> <P>HTH</P> Wed, 14 Aug 2019 08:54:56 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907943#M24887 Rob Ingram 2019-08-14T08:54:56Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907957#M24888 do i Need Access-Group then? Wed, 14 Aug 2019 09:34:52 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907957#M24888 AliRezaMirzaei0031 2019-08-14T09:34:52Z Re: Allowing Ping https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907960#M24890 Yes.<BR /><BR />access-group OUTSIDE_IN in interface Outside Wed, 14 Aug 2019 09:36:55 GMT https://community.cisco.com/t5/network-security/allowing-ping/m-p/3907960#M24890 Rob Ingram 2019-08-14T09:36:55Z