12-31-2019 03:20 AM
i am having ASA firewall with 9.6 code. when i create and apply ACL as below it works fine
ASA(config)#access-list abc permit icmp any any echo-reply
ASA(config)# access-group abc in interface Outside
but when i wanna allow specific IP to ping to Outside creatin ACL as below, it does not work.
ASA(config)#access-list abc permit icmp host 1.1.1.1 192.1.20.0 255.255.255.0 echo-reply
ASA(config)# access-group abc in interface Outside
Help me
thanks
Solved! Go to Solution.
12-31-2019 05:07 AM
12-31-2019 03:27 AM
where is this host IP address located 1.1.1.1?
Do you have NAT Enabled ?
12-31-2019 03:28 AM
This host located at inside
no nat configured
routing done
12-31-2019 03:30 AM
Can you run packet tracer as suggest and also look at the Logs when you pinging what is the cause of droping the ping ?
12-31-2019 03:28 AM
12-31-2019 03:35 AM
12-31-2019 03:39 AM
12-31-2019 03:42 AM - edited 12-31-2019 03:46 AM
yes i know in acl i have written 10.11.11.1 but does not work with this ip as well
can you tell me packet tracer command?
yes i am specifying source ip/interface
12-31-2019 03:51 AM
12-31-2019 04:20 AM - edited 12-31-2019 04:26 AM
Outside#debug ip icmp
ICMP packet debugging is on
Outside#
*Dec 31 12:17:09.952: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:11.958: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:13.955: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:15.956: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:17.960: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
ciscoasa(config)# packet-tracer input inside icmp 1.1.1.1 8 0 192.1.20.2
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.1.20.2 using egress ifc Outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16, packet dispatched to next module
Result:
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=0 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=1 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=2 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=3 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=4 len=72
ciscoasa(config)#
Inside#ping 192.1.20.2 source ethernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
Inside#
12-31-2019 04:33 AM
12-31-2019 04:40 AM
12-31-2019 04:50 AM
12-31-2019 04:59 AM
12-31-2019 05:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide