09-08-2014 08:23 AM - edited 03-11-2019 09:43 PM
Hi All,
Firewall rookie here. I am setting up two mock sites to talk to each other, and I am having a very basic problem: I can't ping the outside interface IP (vlan 2) on my ASA from my PC that is directly attached to the inside (vlan 1) interface of the same ASA.
I've attached a diagram, along with the ASA configs. Please review and let me know what silly thing I am missing.
Thanks.
Solved! Go to Solution.
09-08-2014 08:44 AM
From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa
To allow ICMP:
1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.
2. NAT is not required if the NAT Control is not enabled in Firewall.
3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.
4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)
5. Just Configure ICMP Inspect to allow ping in our case:
ASA(config)# class-map icmp-class
ASA(config-cmap)# match default-inspection-traffic
ASA(config-cmap)# exit
ASA(config)# policy-map icmp_policy
ASA(config-pmap)# class icmp-class
ASA(config-pmap-c)# inspect icmp
ASA(config-pmap-c)# exit
ASA(config)# service-policy icmp_policy interface outside
09-08-2014 09:26 AM
Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.
09-08-2014 08:44 AM
From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa
To allow ICMP:
1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.
2. NAT is not required if the NAT Control is not enabled in Firewall.
3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.
4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)
5. Just Configure ICMP Inspect to allow ping in our case:
ASA(config)# class-map icmp-class
ASA(config-cmap)# match default-inspection-traffic
ASA(config-cmap)# exit
ASA(config)# policy-map icmp_policy
ASA(config-pmap)# class icmp-class
ASA(config-pmap-c)# inspect icmp
ASA(config-pmap-c)# exit
ASA(config)# service-policy icmp_policy interface outside
09-08-2014 08:46 AM
You're not missing anything ... That's just not supported on the ASA. You only can ping the interface thats next to you. So if you are sitting inside of ASA1, you can ping ASA1-inside, but not ASA1-outside. You can (given you have access-control for that) ping ASA2-outside, but not ASA2-inside.
To ping through the ASA you should also reconfigure the ASA to make the ping stateful. For that you have to extend the default policy-map:
policy-map global_policy
class inspection_default
inspect icmp
09-08-2014 08:59 AM
Thank you both.
Karsten,
To make it stateful, would I just add those commands you listed in addition to Michael's configs? Or would I need to make changes to Michael's configs in order to include your configs?
09-08-2014 09:13 AM
I assumed that you have the following default-configuration:
09-08-2014 09:24 AM
OK, so then all I need to do is have that default policy from your link configured, then add "inspect icmp" to it basically, and I should be all I need to ping through it?
09-08-2014 09:26 AM
Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.
09-08-2014 09:51 AM
Ok, gotcha. Thank you Sir.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide