Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2153
Views
15
Helpful
6
Replies

Allowing Ping

Go to solution
AliRezaMirzaei0031
Level 1
Level 1

‎08-14-2019 12:38 AM

Hello,

I have a Cisco ASA Firewall 5516-x Firepower with ASA-Image 9-12-2.

The Device is complet new and i want to allowing ping from outside to Inside and from Inside to Outside.

can you help me?

 

thanks

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-14-2019 12:45 AM

You can have accessl-list like below in to out and out in for ICMP to allow.

 

access-list acl-in-out extended permit icmp any any echo-reply

access-list acl-in-out extended permit icmp any any time-exceeded

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Rob Ingram
VIP
VIP

‎08-14-2019 12:45 AM

Hi,
Use the command "fixup protocol icmp" to enable inspection for icmp, this will allow icmp requests from inside to outside to be permitted. If you want to ping from the outside to inside, it depends, you would probably need to create a static NAT and then permit the traffic on the inbound ACL on the outside interface.

HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to AliRezaMirzaei0031

‎08-14-2019 02:36 AM

Yes.

access-group OUTSIDE_IN in interface Outside

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-14-2019 12:45 AM

You can have accessl-list like below in to out and out in for ICMP to allow.

 

access-list acl-in-out extended permit icmp any any echo-reply

access-list acl-in-out extended permit icmp any any time-exceeded

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎08-14-2019 12:45 AM

Hi,
Use the command "fixup protocol icmp" to enable inspection for icmp, this will allow icmp requests from inside to outside to be permitted. If you want to ping from the outside to inside, it depends, you would probably need to create a static NAT and then permit the traffic on the inbound ACL on the outside interface.

HTH

Go to solution
AliRezaMirzaei0031
Level 1
Level 1
In response to Rob Ingram

‎08-14-2019 01:19 AM

perfect,

and can you write please the commands for NAT and ACL.

i want to all ip from outside can ping all ip to inside .

thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to AliRezaMirzaei0031

‎08-14-2019 01:54 AM

Hi,

Here is an example of static NAT, you'll need 1 static NAT entry for each device if you want to ping inbound from the outside. You wouldn't normally do that, unless it was for DMZ hosted services.

 

object network SWI-1
 host 10.10.0.1
 nat (INSIDE,OUTSIDE) static 1.1.1.111

object network SWI-2
 host 10.10.1.1
 nat (INSIDE,OUTSIDE) static 1.1.1.112

access-list OUTSIDE_IN extended permit icmp any object SWI-1 echo
access-list OUTSIDE_IN extended permit icmp any object SWI-2 echo

If you were just pinging from in inside to outside you would only need 1 dynamic nat rule.

 

HTH

0 Helpful

Go to solution
AliRezaMirzaei0031
Level 1
Level 1
In response to Rob Ingram

‎08-14-2019 02:34 AM

do i Need Access-Group then?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to AliRezaMirzaei0031

‎08-14-2019 02:36 AM

Yes.

access-group OUTSIDE_IN in interface Outside
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card