cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


244
Views
15
Helpful
6
Replies

Allowing Ping

Hello,

I have a Cisco ASA Firewall 5516-x Firepower with ASA-Image 9-12-2.

The Device is complet new and i want to allowing ping from outside to Inside and from Inside to Outside.

can you help me?

 

thanks

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor

Re: Allowing Ping

You can have accessl-list like below in to out and out in for ICMP to allow.

 

access-list acl-in-out extended permit icmp any any echo-reply

access-list acl-in-out extended permit icmp any any time-exceeded

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allowing Ping

Hi,
Use the command "fixup protocol icmp" to enable inspection for icmp, this will allow icmp requests from inside to outside to be permitted. If you want to ping from the outside to inside, it depends, you would probably need to create a static NAT and then permit the traffic on the inbound ACL on the outside interface.

HTH
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allowing Ping

Yes.

access-group OUTSIDE_IN in interface Outside
6 REPLIES 6
VIP Advisor

Re: Allowing Ping

You can have accessl-list like below in to out and out in for ICMP to allow.

 

access-list acl-in-out extended permit icmp any any echo-reply

access-list acl-in-out extended permit icmp any any time-exceeded

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allowing Ping

Hi,
Use the command "fixup protocol icmp" to enable inspection for icmp, this will allow icmp requests from inside to outside to be permitted. If you want to ping from the outside to inside, it depends, you would probably need to create a static NAT and then permit the traffic on the inbound ACL on the outside interface.

HTH

Re: Allowing Ping

perfect,

and can you write please the commands for NAT and ACL.

i want to all ip from outside can ping all ip to inside .

thanks

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allowing Ping

Hi,

Here is an example of static NAT, you'll need 1 static NAT entry for each device if you want to ping inbound from the outside. You wouldn't normally do that, unless it was for DMZ hosted services.

 

object network SWI-1
host 10.10.0.1
nat (INSIDE,OUTSIDE) static 1.1.1.111

object network SWI-2
host 10.10.1.1
nat (INSIDE,OUTSIDE) static 1.1.1.112

access-list OUTSIDE_IN extended permit icmp any object SWI-1 echo
access-list OUTSIDE_IN extended permit icmp any object SWI-2 echo

If you were just pinging from in inside to outside you would only need 1 dynamic nat rule.

 

HTH

Re: Allowing Ping

do i Need Access-Group then?
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Allowing Ping

Yes.

access-group OUTSIDE_IN in interface Outside