Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1168
Views
0
Helpful
2
Replies

Default Configuration ASA 5510 is totally Missing Global-Policy

Caleb Hubbartt
Level 1
Level 1

‎11-17-2017 10:24 AM - edited ‎02-21-2020 06:46 AM

ASA 5510 running 8.4(7), ASDM 7.1(1)

 

This is the first time I have seen this but it appears that the Global-Policy inspection map is not there at all in the default factory reset configuration. In all my past experiences with ASA this is preconfigured on the default startup config. It appears that there is a wizard I can run under "service policy objects" in ASDM but I'm not sure I want to do that if I don't have to. This particular ASA is being used in a very "walled off" scenario with a whitelist of allowed IP networks so I'm not really sure if I want to enable inspection if I don't have to. This is not really protecting web servers or inside hosts to the internet so the simpler I can keep the config the better. 

 

At the root of this I'm trying to configure to allow ping and traceroute through the ASA, which I know how to do and is part of my editing the default global policy in the the standard configuration. I do this for all my ASAs but this is throwing me a loop. If the global-policy is not there is it still doing its inspection? It doesn't appear to be allowing Trace Route back through the ASA.

 

 

WC-ASA# show run policy-map
WC-ASA#  

1 person had this problem
Labels:
0 Helpful
2 Replies 2

mikael.lahtela
Level 4
Level 4

‎11-17-2017 02:59 PM

Hi,

I have seen this sometimes that the global policy is missing.
And I don't think your icmp will work as expected if you are missing the global policy.
You have two options, add global policy with icmp inspect or open firewall rules for icmp.

Here is a icmp object to work with:
object-group icmp-type icmp_types_allowed
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable

br, Micke
0 Helpful

Karsten Iwen
VIP
VIP

‎11-18-2017 05:59 AM

You are right. This is missing if you completely erase the config. Instead of doing a "write erase" you could do a "configure factory-default" from global config mode to erase the config and get the default applied. The default policy is also documented here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/inspect_overview.html#pgfId-1536127

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card