cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Allow ICMP through Cisco ASA

73180
Views
10
Helpful
3
Comments

Hi, This document is for the freashears who is tryig to allow ICMP through the ASA for the first time.

Router-1:

int f0/0

ip add 10.0.0.2 255.255.255.0

int f0/1

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (Pointing towards Firewall)

Router-2:

int f0/0

ip add 172.16.1.2 255.255.255.0

ip route 192.168.1.0 255.255.255.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ASA:

interface e0/0

ip address 10.0.0.1 255.255.255.0

nameif inside

security-level 100

interface e0/1

ip address 172.16.1.1 255.255.255.0

nameif outside

security-level 0

route inside 192.168.1.0 255.255.255.0 10.0.0.2

route outside 0.0.0.0 0.0.0.0 172.16.0.2

------ Above is the basic configuration to be done in ASA ----------

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

To enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.

Comments
Community Member

Is there a way to allow a ping from the inside to an outside router from only one IP address or subnet?

Beginner

Should "route outside 0.0.0.0 0.0.0.0 172.16.0.2" not be "route outside 0.0.0.0 0.0.0.0 172.16.1.2"?

 

Router 2 doesn't have a 172.16.0.2 interface IP.

 

D

Beginner

Thanks for that. How do we allow ICMPv6 through the ASA? I have tried everything. I have no problem with ICMPv4 passing through.