Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
2
Helpful
8
Replies

CISCO ASA

Go to solution
fmugambi
Spotlight
Spotlight

‎06-19-2024 11:08 PM

Hello Team,

I have a cisco asa firewall connected to ISP. I have allowed internet access of downstream devices on the asa.

I have a case where, servers downstream are able to browse internet, but not able to ping for example 8.8.8.8.

is there an acl restriction anywhere? is there an extra command i need for ping replies to be successful. this is useful for troubleshooting.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-19-2024 11:26 PM

@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp

This will amend the class map as below

class inspection_default
 inspect icmp

 

 

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎06-19-2024 11:26 PM

@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp

This will amend the class map as below

class inspection_default
 inspect icmp

 

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-20-2024 12:03 AM

My always first step  command 

config t

fixup protocol icmp

end

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
fmugambi
Spotlight
Spotlight

‎06-20-2024 04:21 AM

on that note, is there a specific cli command to just check acls with hit counts only?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to fmugambi

‎06-20-2024 04:35 AM

@fmugambi 

ASA# show access-list | exclude hitcnt=0

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight
In response to Rob Ingram

‎06-20-2024 04:50 AM

if i have multiple, say dm_access_in, outside_access_in, inside_access_out, how do i filter to specifics?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to fmugambi

‎06-20-2024 05:01 AM

@fmugambi you just add the name of the ACL, i.e.,

show access-list dm_access_in | exclude hitcnt=0
show access-list outside_access_in | exclude hitcnt=0
show access-list inside_access_out | exclude hitcnt=0

0 Helpful

Go to solution
fmugambi
Spotlight
Spotlight

‎06-20-2024 05:10 AM

thanks, helpful.

what if say in dm_inside_access_out, i have multiple vlans, 172.16.10.0/24,.20/24,.30.24.

is it possible to drill to specific vlan and get hitcount per vlan based?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to fmugambi

‎06-20-2024 07:02 AM - edited ‎06-20-2024 07:03 AM

the ASA ACL is apply to L3 interface which have nameif and VLAN, 
show run | in <nameif>
then you will see 

access-group with nameif 
last 
do
show access-list <name of access-group appear> | include hitcnt 

this way you can see access list hitcnt for each vlan 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card