topic icmp in Network Security

icmp

klaudiuszmichalik — Tue, 12 Mar 2019 00:40:29 GMT

Hi All,

I have an issue with allowing ICMP from outside to inside. Inside to Outside works great.

I would really appreciate if someone could give me some advise.

Thanks for all your help!!

r13 (210.1.1.2) >>>>>>>>>>>>>>>> (210.1.1.1) outside ASA inside (172.20.1.2)>>>>>>>>>>>(172.20.1.1) r7

Please find extract from show config from ASA:

Result of the command: "show run"

: Saved

ASA Version 8.0(2)

names

name 192.168.0.0 external description externalpingable

interface Ethernet0/0

nameif management

security-level 100

ip address 172.20.1.2 255.255.255.248

interface Ethernet0/1

nameif outside

security-level 0

ip address 210.1.1.1 255.255.255.252

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object external 255.255.0.0

network-object 210.1.1.0 255.255.255.252

access-list from_outside extended permit icmp any any echo

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable

icmp unreachable rate-limit 1 burst-size 1

global (outside) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 210.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.20.1.1 255.255.255.255 management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map global-class

match default-inspection-traffic

policy-map global_policy

policy-map global-policy

class global-class

inspect ftp

inspect http

inspect icmp

inspect icmp error

inspect snmp

inspect tftp

service-policy global-policy global

Re: icmp

Karsten Iwen — Sun, 23 Dec 2012 17:23:34 GMT

Is it icmp/echo that you want to allow in?

Then you have to migrate the "from_outside"-ACL into the ACL that is bound to the outside-interface:

access-list outside_access_in extended permit icmp any any echo

In addition you need a static translation for the systems that you want to ping from outside.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

icmp

klaudiuszmichalik — Sun, 23 Dec 2012 17:43:31 GMT

Thanks for your feedback.

I ll try and let you know

icmp

klaudiuszmichalik — Sun, 23 Dec 2012 18:16:11 GMT

Hi,

Do you want me to apply static NAT to inside host on its way out? Not sure how this can help.

Could you please clarify?

Thanks

icmp

Karsten Iwen — Sun, 23 Dec 2012 18:32:31 GMT

When communicating from the lower to the higher security-level you need a static translation for the server that should be reachable.

Or do you just want to give r13 the possibility to communicate to r7? Then the ACL is all you need on the ASA. But r13 needs a route to the network 172.20.1.0/29.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

icmp

klaudiuszmichalik — Sun, 23 Dec 2012 19:28:27 GMT

Hi,

Karsten thanks for your reply.

I applied ACL and static routing but it still isnt working.

I can see hits against ACL and translations/ untranslations but ping still fails.

My runn conf looks like this:Result of the command: "show run"

Any ideas?

names

name 192.168.0.0 external description externalpingable

interface Ethernet0/0

nameif management

security-level 100

ip address 172.20.1.2 255.255.255.248

interface Ethernet0/1

nameif outside

security-level 0

ip address 210.1.1.1 255.255.255.252

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object external 255.255.0.0

network-object 210.1.1.0 255.255.255.252

access-list from_outside extended permit icmp any any echo

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable

icmp unreachable rate-limit 1 burst-size 1

global (outside) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 210.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.20.1.1 255.255.255.255 management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map global-class

match default-inspection-traffic

policy-map global_policy

policy-map global-policy

class global-class

inspect ftp

inspect http

inspect icmp

inspect icmp error

inspect snmp

inspect tftp

service-policy global-policy global

icmp

klaudiuszmichalik — Sun, 23 Dec 2012 19:37:33 GMT

Sorry my bad. my access list was still ponting to internal host.

Thanks!!! all good now!!!