Hi, This document is for the freashears who is tryig to allow ICMP through the ASA for the first time.
Router-1:
int f0/0
ip add 10.0.0.2 255.255.255.0
int f0/1
ip add 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1 (Pointing towards Firewall)
Router-2:
int f0/0
ip add 172.16.1.2 255.255.255.0
ip route 192.168.1.0 255.255.255.0 172.16.1.1
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ASA:
interface e0/0
ip address 10.0.0.1 255.255.255.0
nameif inside
security-level 100
interface e0/1
ip address 172.16.1.1 255.255.255.0
nameif outside
security-level 0
route inside 192.168.1.0 255.255.255.0 10.0.0.2
route outside 0.0.0.0 0.0.0.0 172.16.0.2
------ Above is the basic configuration to be done in ASA ----------
To allow ICMP:
1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.
2. NAT is not required if the NAT Control is not enabled in Firewall.
3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.
4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)
5. Just Configure ICMP Inspect to allow ping in our case:
ASA(config)# class-map icmp-class
ASA(config-cmap)# match default-inspection-traffic
ASA(config-cmap)# exit
ASA(config)# policy-map icmp_policy
ASA(config-pmap)# class icmp-class
ASA(config-pmap-c)# inspect icmp
ASA(config-pmap-c)# exit
ASA(config)# service-policy icmp_policy interface outside
To enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.