Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
5
Helpful
4
Replies

Pings thru ASA/PIX 7.x

Go to solution
vikram_anumukonda
Level 3
Level 3

‎04-19-2008 02:03 AM - edited ‎03-11-2019 05:34 AM

got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to vikram_anumukonda

‎04-19-2008 04:21 AM

Upsolutely, with icmp inspect even if you have acl permiting icmp it will pass through ICMP inspection engine, applies also in transparent mode or multiple context 7.x., guidelines is to use icmp inspection engine.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749

Jorge Rodriguez

View solution in original post

4 Replies 4

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎04-19-2008 03:36 AM

Vikram, please refer to this link to learn how inbound and outbound icmp requests works for both PIX code 6.x and ASA 7.x.

To ping a host inside your net from outside you have to permit echos, this assumes there is a static NAT for the intended inside host to be pinged.

To ping from inside to outside two ways to do it.

Quote from link!

Either build an acl

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

or

policy-map global_policy

class inspection_default

inspect icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Jorge Rodriguez
0 Helpful

Go to solution
vikram_anumukonda
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎04-19-2008 04:01 AM

This link specifically refers to pinging a outside host from inside.

As you have mentioned with echoes allowed on the outside interface in the inward direction and icmp inspection turned on . The echo-reply from the inside host - will it pass thru the inspection engine or the acl on the inside interface in the inward direction.

Hope you got my question & will this be any different in transparent firewall's ?

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to vikram_anumukonda

‎04-19-2008 04:21 AM

Upsolutely, with icmp inspect even if you have acl permiting icmp it will pass through ICMP inspection engine, applies also in transparent mode or multiple context 7.x., guidelines is to use icmp inspection engine.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749

Jorge Rodriguez

Go to solution
vikram_anumukonda
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎04-19-2008 04:35 AM

Thanks, I have rated your post

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card