Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
4
Replies

5510 8.4 and ICMP

Go to solution
jpodplesky
Level 1
Level 1

‎09-20-2011 05:27 PM - edited ‎03-11-2019 02:27 PM

So I have my shiny new (used, but new to me) 5510 finally working and installed in my dev network. I need to have icmp (ping and trace route) available from the inside network. I googled and found a few articles on how to do it. I tried modifying the class maps, but it looks like there are changes in the commands in 8.4 and the articles I found evidently were for 8.2 and lower. I tried doing it with access lists, again from examples and traffic stopped in all directions (not good) so I am back to being functional and was hoping someone can shed some light on how to do it in 8.4. Documentation seems sparse on the net with 8.4

Thanks! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-20-2011 05:53 PM

Can you post the configuration.

In order to allow ICMP messages traversing the ASA you will need the inspect ICMP.

policy-map global_policy

class inspection_default

inspect icmp

With this you should be able to ping from your inside network to any resource on the outside. Let us know if this works

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-20-2011 05:53 PM

Can you post the configuration.

In order to allow ICMP messages traversing the ASA you will need the inspect ICMP.

policy-map global_policy

class inspection_default

inspect icmp

With this you should be able to ping from your inside network to any resource on the outside. Let us know if this works

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jpodplesky
Level 1
Level 1
In response to Julio Carvajal

‎09-20-2011 07:34 PM

Thanks Julio, that works for ICMP and I see where the mistake was, now to find that other site and let them know there is a typo (dash instead of underscore).

Trace route gets to the destination and displays the destination host name but all of the hops in between are displaying asterisks and request timeout, does that mean I need to allow ICMP from the outside in? I depend on ping and trace route almost on a daily basis

I really apreciate your answer. There is just so much to learn and it changes everyday

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jpodplesky

‎09-20-2011 07:39 PM

Hi Jack,

Maybe this document can help you out sorting what ICMP messages you should permit to make Traceroute work and so on,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Hope it helps.

Mike

Mike
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jpodplesky

‎09-20-2011 09:25 PM

Hello Jack,

It is a pleasure, I am happy that now your problem is solved. I will be more than glad to help you regarding any other issue.

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card