icmp

lotfi abbas · ‎05-26-2024

i have configured a pc1 on inside of the ASA firewall and second pc2 on outside of the ASA firewal.

inside security level 100 and outside security level 0.

when i add acl from inside to outside and access-group ,i get replies from PC2 back.
when i add acl from outside to inside and access-group,i get replies from pc 1 back.

i have applied two access-groups for two ACLs,when i do show run access-group
it shows me only one access-group command

1- access-group IN-OUT in interface outside
2- access-group OUT-IN in interface outside
when i apply access-group IN-OUT in interface outside ,i can ping from inside to outside
and when i apply access-group OUT-IN , IN-OUT access-group command is removed ,i can ping from outside to inside,it is replaced with IN-OUT hence i can see only one
access-group command in show access-group output eigther IN-OUT or OUT-IN.

in this scenario i cannot ping from PC1 to PC2 and PC2 to PC1 simultaneously.

MHM Cisco World · ‎05-26-2024

I need to see the ACL yoh use

MHM

mohamedlamine · ‎05-26-2024

could you post the code you use

lotfi abbas · ‎05-26-2024

my ACL for echo reply is as follows

access-list IN-OUT extended permit icmp any any echo-reply

access-group IN-OUT in interface outside

my ACL for icmp traffic initiated from outside

access-list OUT-IN extended permit icmp any any

access-group OUT-IN in interface outside

i try to add two access-group statments for both ACLs but ASA firewall ,saves only one access-group command in its configuration.

i cannot ping from pc1 which is in inside of firewall ,to PC2 which is outside of ASA firewall

and from PC2 to PC1 simultaneously

balaji.bandi · ‎05-26-2024

If i read correctly replies means Ping ? If this is ASA, you do not need inside to outside ACL - you just need protocol fix up for ICMP.

that should work inside to outside.

You need ACL allow only from outside network to inside .

different example you can view here :

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/217679-asa-access-control-list-configuration-ex.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lotfi abbas · ‎05-26-2024

Thank u for your reply.
I have tested return traffic from outside to inside using icmp fixup command
Also icmp inspection which is same as fixup, that works fine
But I wanted to apply ACL for icmp echo reply
Like access-list outside extended permit icmp any any echo reply.

balaji.bandi · ‎05-26-2024

But I wanted to apply ACL for icmp echo reply
Like access-list outside extended permit icmp any any echo reply.

you want to only echo to allow ?

there are different ways to do this, but we need to see you configuration how that was configured.

example from my notes :

policy-map global_policy
 class inspection_default
  inspect icmp
!

access-list outside extended permit icmp any any echo

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lotfi abbas · ‎05-26-2024

my ACL for echo reply is as follows

access-list IN-OUT extended permit icmp any any echo-reply

access-group IN-OUT in interface outside

my ACL for icmp traffic initiated from outside

access-list OUT-IN extended permit icmp any any

access-group OUT-IN in interface outside

i try to add two access-group statments for both ACLs but ASA firewall ,saves only one access-group command in its configuration.

i cannot ping from pc1 which is in inside of firewall ,to PC2 which is outside of ASA firewall

and from PC2 to PC1 simultaneously

i try to add
2- access-group OUT-IN in interface outside

MHM Cisco World · ‎05-26-2024

lotfi abbas · ‎05-26-2024

Thank you so much

I will apply this tomorrow Insha Allah.

lotfi abbas · ‎05-27-2024

that works,thank you for support

i can ping simultaneously

MHM Cisco World · ‎05-27-2024

You are so welcome

MHM