cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
89188
Views
10
Helpful
3
Comments
engineer_msu
Level 1
Level 1

Hi, This document is for the freashears who is tryig to allow ICMP through the ASA for the first time.

Router-1:

int f0/0

ip add 10.0.0.2 255.255.255.0

int f0/1

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (Pointing towards Firewall)

Router-2:

int f0/0

ip add 172.16.1.2 255.255.255.0

ip route 192.168.1.0 255.255.255.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ASA:

interface e0/0

ip address 10.0.0.1 255.255.255.0

nameif inside

security-level 100

interface e0/1

ip address 172.16.1.1 255.255.255.0

nameif outside

security-level 0

route inside 192.168.1.0 255.255.255.0 10.0.0.2

route outside 0.0.0.0 0.0.0.0 172.16.0.2

------ Above is the basic configuration to be done in ASA ----------

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

To enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.

Comments
rlevick01
Community Member

Is there a way to allow a ping from the inside to an outside router from only one IP address or subnet?

david sain
Level 1
Level 1

Should "route outside 0.0.0.0 0.0.0.0 172.16.0.2" not be "route outside 0.0.0.0 0.0.0.0 172.16.1.2"?

 

Router 2 doesn't have a 172.16.0.2 interface IP.

 

D

Matt Wilson
Level 1
Level 1

Thanks for that. How do we allow ICMPv6 through the ASA? I have tried everything. I have no problem with ICMPv4 passing through.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: