05-28-2019 03:07 AM
Hi,
05-28-2019 03:29 AM
Hi there,
Have you enabled ICMP inspection? Assuming you are using the default inspection policy:
! policy-map global_policy class inspection_default inspect icmp !
cheers,
Seb.
05-28-2019 03:54 AM
You do not require that ACL applied to the inside interface, the reason is it's a higher security level, so inherently it has access to the outside interface.
Conversely, the outside interface does not have any access to the inside, unless traffic is explicitly permitted.
Essentially, for PC2 to reach PC1, you would need to do the same.
In addition you would need inspect icmp, as stated.
Finally, you need to ensure the client firewalls (i.e. Windows Firewall) is configured to permit ICMP (which it does not, by default).
Martin
05-28-2019 04:40 AM
Thanks for your response.
After enabling the icmp inspection now both sides able to ping.
but i couldn't understand what is the functionality of icmp inspection.
And i also i like to inform that inside interface is not able to access the outside interface without ACL.
Thanks.
05-28-2019 05:35 AM
You shouldn't need an ACL ( furthermore, it's not recommended)
As to the question, it's because ICMP is not stateful and does not contain sequence, port numbers etc.
'Inspect ICMP' creates a DACL, so that echo-reply's etc are permitted if the traffic originated from the inside interface.
Martin
05-28-2019 06:00 AM
Hi there,
What @Martin Carr mentions about why the inspection is required is correct.
Regarding the need for the ACL...
Unless a permit statement is placed at the end of an ACL it has an implicit deny. In the case of your ACL, since it is INbound on the inside interface without that particular ACE the ICMP traffic will be denied. It is worth remembering that on an ASA in the absence of ACLs traffic is always permitted from a higher security level to a lower one, therefore this particular ACL is not required and the inspect statement will ensure that the return traffic is permitted without the need of further ACLs.
Hope that makes sense, and don't forget to mark correct/ helpful posts ;)
cheers,
Seb.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: