Solved: icmp

klaudiuszmichalik · ‎12-23-2012

Hi All,

I have an issue with allowing ICMP from outside to inside. Inside to Outside works great.

I would really appreciate if someone could give me some advise.

Thanks for all your help!!

r13 (210.1.1.2) >>>>>>>>>>>>>>>> (210.1.1.1) outside ASA inside (172.20.1.2)>>>>>>>>>>>(172.20.1.1) r7

Please find extract from show config from ASA:

Result of the command: "show run"

: Saved

:

ASA Version 8.0(2)

!

names

name 192.168.0.0 external description externalpingable

!

interface Ethernet0/0

nameif management

security-level 100

ip address 172.20.1.2 255.255.255.248

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 210.1.1.1 255.255.255.252

!

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object external 255.255.0.0

network-object 210.1.1.0 255.255.255.252

access-list from_outside extended permit icmp any any echo

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable

icmp unreachable rate-limit 1 burst-size 1

global (outside) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 210.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.20.1.1 255.255.255.255 management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map global-class

match default-inspection-traffic

!

policy-map global_policy

policy-map global-policy

class global-class

inspect ftp

inspect http

inspect icmp

inspect icmp error

inspect snmp

inspect tftp

!

service-policy global-policy global

Karsten Iwen · ‎12-23-2012

Is it icmp/echo that you want to allow in?

Then you have to migrate the "from_outside"-ACL into the ACL that is bound to the outside-interface:

access-list outside_access_in extended permit icmp any any echo

In addition you need a static translation for the systems that you want to ping from outside.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎12-23-2012

When communicating from the lower to the higher security-level you need a static translation for the server that should be reachable.

Or do you just want to give r13 the possibility to communicate to r7? Then the ACL is all you need on the ASA. But r13 needs a route to the network 172.20.1.0/29.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎12-23-2012

Is it icmp/echo that you want to allow in?

Then you have to migrate the "from_outside"-ACL into the ACL that is bound to the outside-interface:

access-list outside_access_in extended permit icmp any any echo

In addition you need a static translation for the systems that you want to ping from outside.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

klaudiuszmichalik · ‎12-23-2012

Thanks for your feedback.

I ll try and let you know

klaudiuszmichalik · ‎12-23-2012

Hi,

Do you want me to apply static NAT to inside host on its way out? Not sure how this can help.

Could you please clarify?

Thanks

Karsten Iwen · ‎12-23-2012

When communicating from the lower to the higher security-level you need a static translation for the server that should be reachable.

Or do you just want to give r13 the possibility to communicate to r7? Then the ACL is all you need on the ASA. But r13 needs a route to the network 172.20.1.0/29.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

klaudiuszmichalik · ‎12-23-2012

Hi,

Karsten thanks for your reply.

I applied ACL and static routing but it still isnt working.

I can see hits against ACL and translations/ untranslations but ping still fails.

My runn conf looks like this:Result of the command: "show run"

Any ideas?

names

name 192.168.0.0 external description externalpingable

!

interface Ethernet0/0

nameif management

security-level 100

ip address 172.20.1.2 255.255.255.248

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 210.1.1.1 255.255.255.252

!

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object external 255.255.0.0

network-object 210.1.1.0 255.255.255.252

access-list from_outside extended permit icmp any any echo

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable

icmp unreachable rate-limit 1 burst-size 1

global (outside) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 210.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.20.1.1 255.255.255.255 management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map global-class

match default-inspection-traffic

!

policy-map global_policy

policy-map global-policy

class global-class

inspect ftp

inspect http

inspect icmp

inspect icmp error

inspect snmp

inspect tftp

!

service-policy global-policy global

klaudiuszmichalik · ‎12-23-2012

Sorry my bad. my access list was still ponting to internal host.

Thanks!!! all good now!!!