cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
311
Views
2
Helpful
8
Replies

CISCO ASA

fmugambi
Spotlight
Spotlight

Hello Team,

I have a cisco asa firewall connected to ISP. I have allowed internet access of downstream devices on the asa.

I have a case where, servers downstream are able to browse internet, but not able to ping for example 8.8.8.8.

is there an acl restriction anywhere? is there an extra command i need for ping replies to be successful. this is useful for troubleshooting.

Thank you.

1 Accepted Solution

Accepted Solutions

@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp

This will amend the class map as below

class inspection_default
inspect icmp

 

 

View solution in original post

8 Replies 8

@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp

This will amend the class map as below

class inspection_default
inspect icmp

 

 

balaji.bandi
Hall of Fame
Hall of Fame

My always first step  command 

config t

fixup protocol icmp

end

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fmugambi
Spotlight
Spotlight

on that note, is there a specific cli command to just check acls with hit counts only?

@fmugambi 

ASA# show access-list | exclude hitcnt=0

if i have multiple, say dm_access_in, outside_access_in, inside_access_out, how do i filter to specifics?

@fmugambi you just add the name of the ACL, i.e.,

show access-list dm_access_in | exclude hitcnt=0
show access-list outside_access_in | exclude hitcnt=0
show access-list inside_access_out | exclude hitcnt=0

fmugambi
Spotlight
Spotlight

thanks, helpful.

what if say in dm_inside_access_out, i have multiple vlans, 172.16.10.0/24,.20/24,.30.24.

is it possible to drill to specific vlan and get hitcount per vlan based?

the ASA ACL is apply to L3 interface which have nameif and VLAN, 
show run | in <nameif>
then you will see 

access-group with nameif 
last 
do
show access-list <name of access-group appear> | include hitcnt 

this way you can see access list hitcnt for each vlan 

MHM

Review Cisco Networking for a $25 gift card