10-30-2006 08:08 PM
I wish to allow ping through my ASA5520 to inside machine. and tried to permit
icmp from my outside machine to my inside machine on both direction and on interface outside and inside. But, it still have me error:
%ASA-3-...: Deny inbound icmp src outside:MyoutsidePC dst outside:MyinsidePC (type8, code0)
Could anyone give me an example how to configure access-list for this example?
Any comments will be appreciated
Thanks in advance
my configure asa5520 v7.21 is:
interface GigabitEthernet0/0
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/0.101
vlan 101
no nameif
no security-level
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.102
vlan 102
no nameif
no security-level
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.3.9 255.255.255.0
10-30-2006 09:36 PM
By default, PIX/ASA will deny incoming access/ICMP from outside (lower security) to inside/higher security level interfaces.
You need to open/use ACL to allow inbound ICMP/ping from outside to inside, i.e to your Vlan101, do the following:
General icmp:
access-list outside extended permit icmp any any ---> permit any icmp type
access-group outside in interface outside --> bind ACL to outside interface
Ping to specific host:
- you need to map the inside host to an outside ip, so that outside users/hosts can ping it. Use static command.
- static command allows other external hosts to 'see' your internal host virtually. ASA will switch/send the traffic correctly to the actual host.
Example - map vlan101 host 10.1.1.12 to unused outside IP of 10.1.3.40
asa(config)# static (inside,outside) 10.1.3.40 10.1.1.12 netmask 255.255.255.255 --> virtually mapped 10.1.1.12 to 10.1.3.40
asa(config)# access-list outside extended permit icmp any host 10.1.3.40 --> allow any host on the outside segment to ping
asa(config)# access-group outside in interface outside
or you can specify who can ping to specific destination:
asa(config)# access-list outside extended permit icmp host 10.1.3.100 host 10.1.3.40
asa(config)# access-group outside in interface outside
Note:
- replace the keyword 'outside' with any name/number
- you can narrow icmp type, i.e echo, echo-reply and so on. Add it at the end of ACL.
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide