10-29-2019 08:37 PM - edited 02-21-2020 09:38 AM
Hi all.
I am trying to setup an ASA5510 to protect our new Network Lab, that I'm building for work.
However, I started running into issues and have tried to reduce the configuration to allow everything to everything.
I basically want it to be a router, to begin with, and then build policies on top.
But still, the ASA blocks ping and other traffic.
I have attached a pdf with the setup and outputs for you perusal.
Please assist if you can.
Solved! Go to Solution.
10-29-2019 09:41 PM
Hi there! A few things to mention:
1. I don't see the PDF attachment
2. You need to configure ICMP inspection in order for ICMP/ping to work through the ASA. Take a look at this thread for more info:
https://community.cisco.com/t5/firewalls/ping-through-asa/td-p/1324977
3. By default the ASA will only allow traffic from higher security level to a lower security level. All other traffic has to be explicitly permitted.
4. By default the ASA will drop traffic between interfaces with the same security level and between hosts on the same interface. If you want to permit these, take a look at the following link:
5. Depending on the version of code that you are running, you might have "nat control" enabled. This feature requires that traffic hits a NAT rule before it is permitted
6. The packet-tracer command is your best friend when troubleshooting flows through your ASA. For more information on that you can check the following link:
I hope this helps!
Thank you for rating helpful posts!
11-19-2019 06:19 PM
Thanks, The issue was do do with item 4 (Had to add same-security-traffic permit intra-interface).
That is possibly because I was trying to ping between sub-interfaces (That belong to the same Physical interface).
Thanks a lot!
10-29-2019 09:41 PM
Hi there! A few things to mention:
1. I don't see the PDF attachment
2. You need to configure ICMP inspection in order for ICMP/ping to work through the ASA. Take a look at this thread for more info:
https://community.cisco.com/t5/firewalls/ping-through-asa/td-p/1324977
3. By default the ASA will only allow traffic from higher security level to a lower security level. All other traffic has to be explicitly permitted.
4. By default the ASA will drop traffic between interfaces with the same security level and between hosts on the same interface. If you want to permit these, take a look at the following link:
5. Depending on the version of code that you are running, you might have "nat control" enabled. This feature requires that traffic hits a NAT rule before it is permitted
6. The packet-tracer command is your best friend when troubleshooting flows through your ASA. For more information on that you can check the following link:
I hope this helps!
Thank you for rating helpful posts!
10-30-2019 12:14 PM
11-19-2019 06:19 PM
Thanks, The issue was do do with item 4 (Had to add same-security-traffic permit intra-interface).
That is possibly because I was trying to ping between sub-interfaces (That belong to the same Physical interface).
Thanks a lot!
11-20-2019 08:26 PM
Fantastic! Glad your issue is resolved and thank you for taking the time to come back and share the outcome with everyone!
11-21-2019 02:31 PM
i have done access-list and allow icmp inspect but still can't ping anything not even own management interface
interface Management1/1
management-only
nameif managment-omly
security-level 100
ip address 10.255.255.13 255.255.255.0
ciscoasa(config)# access-group inside in interface managment-omly
!
ciscoasa(config)# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
can someone help please it's driving me crazy
Thank you guys
11-21-2019 06:42 PM
Hi there-
Allowing ICMP through the ASA and to the ASA are two different things and configurations are different. Configuring ICMP inspection enables the ICMP to flow through the ASA. On the other hand, if you want the ASA to respond to ICMP then you will need the following configuration (In this example, you are configuring the ASA to respond to ping from the 192.168.0.0/16 subnet on the management interface):
icmp permit 192.168.0.0 255.255.255.0 management
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide