06-19-2024 11:08 PM
Hello Team,
I have a cisco asa firewall connected to ISP. I have allowed internet access of downstream devices on the asa.
I have a case where, servers downstream are able to browse internet, but not able to ping for example 8.8.8.8.
is there an acl restriction anywhere? is there an extra command i need for ping replies to be successful. this is useful for troubleshooting.
Thank you.
Solved! Go to Solution.
06-19-2024 11:26 PM
@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp
This will amend the class map as below
class inspection_default
inspect icmp
06-19-2024 11:26 PM
@fmugambi you can enable ICMP inspection to allow ping responses, use the CLI command fixup protocol icmp
This will amend the class map as below
class inspection_default
inspect icmp
06-20-2024 12:03 AM
My always first step command
config t
fixup protocol icmp
end
06-20-2024 04:21 AM
on that note, is there a specific cli command to just check acls with hit counts only?
06-20-2024 04:35 AM
ASA# show access-list | exclude hitcnt=0
06-20-2024 04:50 AM
if i have multiple, say dm_access_in, outside_access_in, inside_access_out, how do i filter to specifics?
06-20-2024 05:01 AM
@fmugambi you just add the name of the ACL, i.e.,
show access-list dm_access_in | exclude hitcnt=0
show access-list outside_access_in | exclude hitcnt=0
show access-list inside_access_out | exclude hitcnt=0
06-20-2024 05:10 AM
thanks, helpful.
what if say in dm_inside_access_out, i have multiple vlans, 172.16.10.0/24,.20/24,.30.24.
is it possible to drill to specific vlan and get hitcount per vlan based?
06-20-2024 07:02 AM - edited 06-20-2024 07:03 AM
the ASA ACL is apply to L3 interface which have nameif and VLAN,
show run | in <nameif>
then you will see
access-group with nameif
last
do
show access-list <name of access-group appear> | include hitcnt
this way you can see access list hitcnt for each vlan
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide