Solved: Re: how to permit ICMP through ASA 5505 OUTSIDE to INSIDE

lee123456 · ‎01-21-2020

Hi all,

Apologies if this has been asked before. still extremely new with packet tracer and cisco etc.

I am practicing connecting too remote networks and then adding a cisco asa 5505.

i have managed to allow icmp requests through the firewall when they are from the inside interface but when i try to ping from anything on the outside interface to a host on the inside, it fails. I have tried a variety of settings but im at a loss. Apologies if the configs a mess.

any tips would be greatly appreciated!

ciscoasa#show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

object network inside

subnet 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

!

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit icmp any any echo

access-list outside extended permit icmp any any unreachable

access-list outside extended permit tcp any any

access-list outside extended permit udp any any

access-list outside_access_in extended permit icmp any any

!

object network inside

nat (inside,outside) dynamic interface

!

class-map lee

match default-inspection-traffic

!

policy-map ICMP

class lee

inspect icmp

policy-map global_policy

policy-map global

!

service-policy ICMP global

!

telnet timeout 5

ssh timeout 5

!

dhcpd enable inside

!

Sheraz.Salim · ‎01-21-2020

you have two interface inside and outside. now from outside you need to access to inside network (for example web/smtp).

in that case here is the configuration you need.

object network INSIDE

subnet 192.168.x.x

nat (inside,outside) dynamic interface

!

object network WEB-SERVER

host 192.168.x.x

nat (inside,outside) static interface

!

access-list outside_in ext permit tcp any object WE-SERVER eq 80

!

access-group outside_in in interface outside

please do not forget to rate.

View solution in original post

lee123456 · ‎01-21-2020

Apologies i neglected to mention that this is in packet tracer.

the reason I'm wanting to allow traffic in from the outside interface is to access the resources on either network. in this case a web server and an SMTP server.

Sheraz.Salim · ‎01-21-2020

you have two interface inside and outside. now from outside you need to access to inside network (for example web/smtp).

in that case here is the configuration you need.

object network INSIDE

subnet 192.168.x.x

nat (inside,outside) dynamic interface

!

object network WEB-SERVER

host 192.168.x.x

nat (inside,outside) static interface

!

access-list outside_in ext permit tcp any object WE-SERVER eq 80

!

access-group outside_in in interface outside

please do not forget to rate.

lee123456 · ‎01-22-2020

many thanks for your help, its all working !