Solved: Can't ping ASA 5505 WAN from PC on LAN

Dean Romanelli · ‎09-08-2014

Hi All,

Firewall rookie here. I am setting up two mock sites to talk to each other, and I am having a very basic problem: I can't ping the outside interface IP (vlan 2) on my ASA from my PC that is directly attached to the inside (vlan 1) interface of the same ASA.

I've attached a diagram, along with the ASA configs. Please review and let me know what silly thing I am missing.

Thanks.

michael o'nan · ‎09-08-2014

From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

View solution in original post

Karsten Iwen · ‎09-08-2014

Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.

View solution in original post

michael o'nan · ‎09-08-2014

From document located here https://supportforums.cisco.com/document/146031/allow-icmp-through-cisco-asa

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

Karsten Iwen · ‎09-08-2014

You're not missing anything ... That's just not supported on the ASA. You only can ping the interface thats next to you. So if you are sitting inside of ASA1, you can ping ASA1-inside, but not ASA1-outside. You can (given you have access-control for that) ping ASA2-outside, but not ASA2-inside.

To ping through the ASA you should also reconfigure the ASA to make the ping stateful. For that you have to extend the default policy-map:

policy-map global_policy class inspection_default inspect icmp

Dean Romanelli · ‎09-08-2014

Thank you both.

Karsten,

To make it stateful, would I just add those commands you listed in addition to Michael's configs? Or would I need to make changes to Michael's configs in order to include your configs?

Karsten Iwen · ‎09-08-2014

I assumed that you have the following default-configuration:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mpf_service_policy.html#wp1163004

Dean Romanelli · ‎09-08-2014

OK, so then all I need to do is have that default policy from your link configured, then add "inspect icmp" to it basically, and I should be all I need to ping through it?

Karsten Iwen · ‎09-08-2014

Yes, but still not the outside interface from the inside. But with that you can ping to another device on the outside.

Dean Romanelli · ‎09-08-2014

Ok, gotcha. Thank you Sir.