Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
1
Helpful
6
Replies

ASA5506 Access Question

bwn
Level 1
Level 1

‎07-28-2023 08:37 AM

We have an ASA5506 and I'm trying to have an IP address that is accessible on the outside interface be accessible on the inside interface. I can ping the address if I select outside interface but there is no response when trying to ping from the inside interface. I'm using the ASDM tool as I don't spend a lot of time managing routers. I tried changing the security level of the outside interface to 100 to match the inside interface as I thought traffic may be allowed if the same security level but that didn't seem to make a difference. 

0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎07-28-2023 08:41 AM - edited ‎07-28-2023 08:44 AM

Hi @bwn 

 If you can keep the same security level, use the command

same-security-traffic permit inter-interface

 

FlavioMiranda_0-1690559037906.png

 

 

0 Helpful

bwn
Level 1
Level 1
In response to Flavio Miranda

‎07-28-2023 08:56 AM - edited ‎07-28-2023 08:56 AM

2023-07-28_11-54-01.jpgI have done that as you can see in the screenshot attached. I've also set the security level the same. If I do a tracert from the outside interface it works fine but when I change to the inside_1 interface it hangs. 

0 Helpful

Rob Ingram
VIP
VIP
In response to bwn

‎07-28-2023 10:09 AM

@bwn for ICMP you either need to explictly permit ICMP echo-reply inbound on the outside interface ACL or as @MHM Cisco World mentioned enable ICMP inspection. Enable ICMP inspection using the CLI command fixup protocol icmp

To allow traceroute from inside to outside then you need to permit icmp time-exceeded and unreachable inbound on the outsisde interface ACL. Example https://integratingit.wordpress.com/2018/12/15/allow-icmp-traceroute-through-cisco-asa/

Also change the security level of the outside interface to 0, traffic from a low security level to a high level is denied as default (which is what you want on the outside interface).

bwn
Level 1
Level 1
In response to Rob Ingram

‎07-28-2023 01:35 PM

I've changed the outside security back to 0. Is this where I should be permitting the ICMP echo reply? Is there anywhere I need to add anything?

2023-07-28_16-32-59.jpg

0 Helpful

MHM Cisco World
VIP
VIP
In response to bwn

‎07-28-2023 02:04 PM 

asa# packet-tracer input inside icmp x.x.x.x 8 0 y.y.y.y detail

x.x.x.x is inside subnet 

0 Helpful

MHM Cisco World
VIP
VIP

‎07-28-2023 08:45 AM

1- icmp inspection 

2-allow icmp via inside acl if found 

3- route OUT 0.0.0.0 0.0.0.0 must add to asa 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card