Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1899
Views
5
Helpful
1
Replies

asa 5510 access rules

Namal Suranga
Level 1
Level 1

‎08-14-2012 12:35 AM - edited ‎03-11-2019 04:41 PM

when i create a rule and enable icmp in ASA inside to outside direction to testing purpose, but I can't ping outside address ,

access-list ICMP extended permit icmp any any

access-group ICMP in interface inside

LOGG:::

ping 8.8.8.8

%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)

%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)

then I have permited icmp for return path then it works, cofigs and logs are followed,

access-list ICMP extended permit icmp any any

access-group ICMP in interface outside

LOGG:::

ping 8.8.8.8

%ASA-6-302020: Built inbound ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14

%ASA-6-302021: Teardown ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14


Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎08-14-2012 03:23 AM

Hi,

Add the following "inspect" rule for the firewall to automatically allow echo-reply messages without OUTSIDE access-list

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top