Solved: Re: ASA5510 wont allow ping and other traffic.

jvujcich · ‎10-29-2019

Hi all.

I am trying to setup an ASA5510 to protect our new Network Lab, that I'm building for work.

However, I started running into issues and have tried to reduce the configuration to allow everything to everything.

I basically want it to be a router, to begin with, and then build policies on top.

But still, the ASA blocks ping and other traffic.

I have attached a pdf with the setup and outputs for you perusal.

Please assist if you can.

nspasov · ‎10-29-2019

Hi there! A few things to mention:

1. I don't see the PDF attachment

2. You need to configure ICMP inspection in order for ICMP/ping to work through the ASA. Take a look at this thread for more info:

https://community.cisco.com/t5/firewalls/ping-through-asa/td-p/1324977

3. By default the ASA will only allow traffic from higher security level to a lower security level. All other traffic has to be explicitly permitted.

4. By default the ASA will drop traffic between interfaces with the same security level and between hosts on the same interface. If you want to permit these, take a look at the following link:

https://www.networkstraining.com/permitting-traffic-to-enter-and-exit-the-same-interface-same-security-traffic-permit/

5. Depending on the version of code that you are running, you might have "nat control" enabled. This feature requires that traffic hits a NAT rule before it is permitted

6. The packet-tracer command is your best friend when troubleshooting flows through your ASA. For more information on that you can check the following link:

https://community.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

jvujcich · ‎11-19-2019

Thanks, The issue was do do with item 4 (Had to add same-security-traffic permit intra-interface).

That is possibly because I was trying to ping between sub-interfaces (That belong to the same Physical interface).

Thanks a lot!

View solution in original post

nspasov · ‎10-29-2019

Hi there! A few things to mention:

1. I don't see the PDF attachment

2. You need to configure ICMP inspection in order for ICMP/ping to work through the ASA. Take a look at this thread for more info:

https://community.cisco.com/t5/firewalls/ping-through-asa/td-p/1324977

3. By default the ASA will only allow traffic from higher security level to a lower security level. All other traffic has to be explicitly permitted.

4. By default the ASA will drop traffic between interfaces with the same security level and between hosts on the same interface. If you want to permit these, take a look at the following link:

https://www.networkstraining.com/permitting-traffic-to-enter-and-exit-the-same-interface-same-security-traffic-permit/

5. Depending on the version of code that you are running, you might have "nat control" enabled. This feature requires that traffic hits a NAT rule before it is permitted

6. The packet-tracer command is your best friend when troubleshooting flows through your ASA. For more information on that you can check the following link:

https://community.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

I hope this helps!

Thank you for rating helpful posts!

jvujcich · ‎10-30-2019

Hi there,

Yes, I think i have done those things, but not the NAT thing.

I have re-attached the pdf here.

jvujcich · ‎11-19-2019

Thanks, The issue was do do with item 4 (Had to add same-security-traffic permit intra-interface).

That is possibly because I was trying to ping between sub-interfaces (That belong to the same Physical interface).

Thanks a lot!

nspasov · ‎11-20-2019

Fantastic! Glad your issue is resolved and thank you for taking the time to come back and share the outcome with everyone!

Star Sulaiman · ‎11-21-2019

i have done access-list and allow icmp inspect but still can't ping anything not even own management interface
interface Management1/1
management-only
nameif managment-omly
security-level 100
ip address 10.255.255.13 255.255.255.0
ciscoasa(config)# access-group inside in interface managment-omly
!
ciscoasa(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error

can someone help please it's driving me crazy

Thank you guys

nspasov · ‎11-21-2019

Hi there-

Allowing ICMP through the ASA and to the ASA are two different things and configurations are different. Configuring ICMP inspection enables the ICMP to flow through the ASA. On the other hand, if you want the ASA to respond to ICMP then you will need the following configuration (In this example, you are configuring the ASA to respond to ping from the 192.168.0.0/16 subnet on the management interface):

icmp permit 192.168.0.0 255.255.255.0 management

I hope this helps!

Thank you for rating helpful posts!