Allow ICMP through Cisco ASA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 08:48 AM - edited 02-21-2020 08:29 AM
I know this seems trivial, but I can't seem to figure it out. I have a solarwinds server internal of my network and I need to be able to let IPAM scan public IP addresses that are beyond the ASA firewall.
How can I accomplish this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 09:01 AM
ASA(config)# fixup protocol icmp
OR
ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp
If this doesn't not achieve what you want please provide your configuration
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 09:04 AM
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect snmp
Its in the Policy map.
I think the challenge is to ONLY allow that one internal host to ping and receive echo reply so I don't open ICMP to all the world.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 09:08 AM
This should all ping returns from one host
access-list Outside_access_in permit icmp host 192.168.10.1 any echo-reply
access-group Outside_access_in in interface OUTSIDE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 10:33 AM
Given that you have the "inspect icmp", you only need to allow icmp echo for your solarwinds host on your inside ACL:
access-list inside-access-in permit icmp host X.X.X.X any echo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 10:42 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2018 10:47 AM
Well, if the packets don't make it to the device where you do the access-control, then for sure it will be a problem ...
