Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1873
Views
0
Helpful
7
Replies

ICMP TRU ASAv

Go to solution
stephn.zii
Level 1
Level 1

‎04-10-2022 04:54 AM

Hello all,

       I configured my ASAv to allow icmp through but for some reason traffic is not going through, below are configs on device:

!

R2#

!
interface Ethernet0/0
description OUTSIDE
ip address 192.1.20.2 255.255.255.0
!

ciscoasa#
!

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.1.20.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.11.11.10 255.255.255.0
!

policy-map global_policy
class inspection_default
inspect icmp

!

access-list OUTSIDE line 1 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0x1a292449
access-list OUTSIDE line 2 extended permit icmp any4 any4 time-exceeded (hitcnt=0) 0xd763b729
access-list OUTSIDE line 3 extended permit icmp any4 any4 timestamp-reply (hitcnt=0) 0x9fbe9b61
access-list OUTSIDE line 4 extended permit icmp any4 any4 unreachable (hitcnt=0) 0xed842821
!

R1#

!
interface Ethernet0/0
description INSIDE
ip address 10.11.11.1 255.255.255.0
!

Any help will be appreciated.

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-10-2022 04:58 AM - edited ‎04-10-2022 07:27 AM

@stephn.zii by enabling ICMP inspection should allow traffic from inside to outside to work....if you have routing and potentially nat configured correctly.

 

Are you testing from inside (R1) to outside?

Is routing configured on the ASA and both routers?

If you are pinging from outside to inside you would need to create another ACE entry permitting "echo" on the ACL and also create an access-group (if it isn't already) and specifiy the direction and the interface.

 

access-list OUTSIDE extended permit icmp any4 any4 echo
access-group OUTSIDE in interface outside

 If that doesn't work run packet-tracer from the CLI and provide the output for review.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎04-10-2022 04:58 AM - edited ‎04-10-2022 07:27 AM

@stephn.zii by enabling ICMP inspection should allow traffic from inside to outside to work....if you have routing and potentially nat configured correctly.

 

Are you testing from inside (R1) to outside?

Is routing configured on the ASA and both routers?

If you are pinging from outside to inside you would need to create another ACE entry permitting "echo" on the ACL and also create an access-group (if it isn't already) and specifiy the direction and the interface.

 

access-list OUTSIDE extended permit icmp any4 any4 echo
access-group OUTSIDE in interface outside

 If that doesn't work run packet-tracer from the CLI and provide the output for review.

0 Helpful

Go to solution
stephn.zii
Level 1
Level 1
In response to Rob Ingram

‎04-12-2022 08:29 AM

Hello Ingram,

     Yes I am testing from R1 to R2 and I have attach my topology to this reply. Yes routing is configured on the ASA, I am running BGP with R2 and OSPF with R1 and redistributed BGP into OSPF but have a default route on the ASA going to R2.  I recreated the access list, see below:

access-list TRU-TRAFIK permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 23
access-list TRU-TRAFIK permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 22
access-list TRU-TRAFIK permit icmp host 192.1.20.2 10.11.11.0 255.255.255.0 eq echo
!
access-group TRU-TRAFIK in interface Outside
!

but I also found something weird, the ospf neighbors are not forming and I cannot ping to the ASA interface ip from either routers so I think there is an issue with my ASA image. I will check that and let you know the outcome.

Preview file
20 KB
0 Helpful

Go to solution
stephn.zii
Level 1
Level 1
In response to Rob Ingram

‎04-12-2022 10:37 AM

Thank you for your response I think it was my asa that was not working well. I deleted it and recreated it with new setup and everything started working. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-10-2022 05:11 AM - edited ‎04-10-2022 05:12 AM

what is the source and destination? what do you see in the log s?

 

any4 any4

not sure - this should be any any right?

 

access-group OUTSIDE in interface Outside

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
stephn.zii
Level 1
Level 1
In response to balaji.bandi

‎04-12-2022 08:31 AM

Hello Bandi,

         I think my ASA image has an issue so I am working on it and when am done I will let you know the outcome.

0 Helpful

Go to solution
stephn.zii
Level 1
Level 1
In response to balaji.bandi

‎04-12-2022 10:37 AM

Thank you for your response I think it was my asa that was not working well. I deleted it and recreated it with new setup and everything started working. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to stephn.zii

‎04-12-2022 02:09 PM

Glad to know it was resolved and appreciated your feedback, it is very useful for the community member, who have the same issue and can resolve it quickly with the solution.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card