Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
3
Helpful
1
Replies

allow icmp

julxu
Level 1
Level 1

‎10-30-2006 08:08 PM

I wish to allow ping through my ASA5520 to inside machine. and tried to permit

icmp from my outside machine to my inside machine on both direction and on interface outside and inside. But, it still have me error:

%ASA-3-...: Deny inbound icmp src outside:MyoutsidePC dst outside:MyinsidePC (type8, code0)

Could anyone give me an example how to configure access-list for this example?

Any comments will be appreciated

Thanks in advance

my configure asa5520 v7.21 is:

interface GigabitEthernet0/0

nameif inside

security-level 100

no ip address

!

interface GigabitEthernet0/0.101

vlan 101

no nameif

no security-level

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet0/0.102

vlan 102

no nameif

no security-level

ip address 10.1.2.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.1.3.9 255.255.255.0

Labels:
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎10-30-2006 09:36 PM

By default, PIX/ASA will deny incoming access/ICMP from outside (lower security) to inside/higher security level interfaces.

You need to open/use ACL to allow inbound ICMP/ping from outside to inside, i.e to your Vlan101, do the following:

General icmp:

access-list outside extended permit icmp any any ---> permit any icmp type

access-group outside in interface outside --> bind ACL to outside interface

Ping to specific host:

- you need to map the inside host to an outside ip, so that outside users/hosts can ping it. Use static command.

- static command allows other external hosts to 'see' your internal host virtually. ASA will switch/send the traffic correctly to the actual host.

Example - map vlan101 host 10.1.1.12 to unused outside IP of 10.1.3.40

asa(config)# static (inside,outside) 10.1.3.40 10.1.1.12 netmask 255.255.255.255 --> virtually mapped 10.1.1.12 to 10.1.3.40

asa(config)# access-list outside extended permit icmp any host 10.1.3.40 --> allow any host on the outside segment to ping

asa(config)# access-group outside in interface outside

or you can specify who can ping to specific destination:

asa(config)# access-list outside extended permit icmp host 10.1.3.100 host 10.1.3.40

asa(config)# access-group outside in interface outside

Note:

- replace the keyword 'outside' with any name/number

- you can narrow icmp type, i.e echo, echo-reply and so on. Add it at the end of ACL.

HTH

AK

Customers Also Viewed These Support Documents