Re: Allow ICMP through Cisco ASA

Steven Williams · ‎11-20-2018

I know this seems trivial, but I can't seem to figure it out. I have a solarwinds server internal of my network and I need to be able to let IPAM scan public IP addresses that are beyond the ASA firewall.

How can I accomplish this?

Rob Ingram · ‎11-20-2018

Hi, try this:-

ASA(config)# fixup protocol icmp
OR
ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp

If this doesn't not achieve what you want please provide your configuration

HTH

Steven Williams · ‎11-20-2018

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect snmp

Its in the Policy map.

I think the challenge is to ONLY allow that one internal host to ping and receive echo reply so I don't open ICMP to all the world.

Rob Ingram · ‎11-20-2018

So it doesn't work even with "inspect icmp" enabled?

This should all ping returns from one host

access-list Outside_access_in permit icmp host 192.168.10.1 any echo-reply
access-group Outside_access_in in interface OUTSIDE

Karsten Iwen · ‎11-20-2018

Given that you have the "inspect icmp", you only need to allow icmp echo for your solarwinds host on your inside ACL:

access-list inside-access-in permit icmp host X.X.X.X any echo

Steven Williams · ‎11-20-2018

I actually think it is a routing problem because if the internal device doesn't know about the network it will use its default route which is not the ASA where this subnet lives. So I assume that would be the issue.

Karsten Iwen · ‎11-20-2018

Well, if the packets don't make it to the device where you do the access-control, then for sure it will be a problem ...