04-24-2012 10:58 PM - edited 03-11-2019 03:57 PM
Dear All,
I am unable to ping from MZ zone to firewall ip please any body can advice me how to enable ping
i have my spectrum server 10.242.103.42 on MZ zone having security leval 70 and firewall inside ip 10.142.101.100 having security leval 100,now iam unable to ping from spectrum server to my firewalll inside ip.
can any body help me.
Thanks
Srinivas
04-25-2012 12:54 AM
Hi,
To my understanding you can ping Cisco firewalls interface IP behind another interface.
Meaning you can ping an interface IP as long as the host is behind that interface.
For ICMP to work between hosts on 2 different interfaces please check that you have the access-list allowing it and you have the following configuration
policy-map global_policy
class inspection_default
inspect icmp
- Jouni
04-25-2012 02:07 AM
by default icmp is deny passage from low security to hight security levelwhen,one host send icmp request to any host it goes to port 0 and when icmp reply come back then it come to port 8..so because the asa use stateful packet incepection,the host does no see the reachability by ping
if you want to you want to deploy an access-list
access-list 101 permit icmp any any or any perticular host
access-group 101 in MZ
but
it give you less secuirty
04-25-2012 03:07 AM
A better solution is to enable the ICMP inspector. ICMP is not a stateful protocol at all,
but the ASA can infer enough information to make it seem stateful. The ICMP inspector
can selectively (and automatically) open a “connection” to permit return traffic based on
the original outbound requests. It will permit only one response to return for every
request that is sent out. The ICMP sequence numbers must also match between a request
and a reply packet. With “stateful” ICMP inspection, the ICMP connections and xlate
entries can be quickly torn down as soon as the appropriate reply is received.
You can enable ICMP inspection as an action within a policy map by using the inspect
icmp command. By default, the ICMP inspector does not permit any ICMP error packets
to return. This is because an ICMP error message can be sent from an address other than
the original ICMP target. You can use the inspect icmp error command to enable ICMP
error processing as part of ICMP inspection.
Example 9-10 shows how ICMP and ICMP error inspection can be enabled globally,
within the global_policy policy map.
Example 9-10 Enabling ICMP and ICMP Error Inspection Globally
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# inspect icmp error
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)#
hope it will help you
let us know if it does not work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide