Ping through ASA
DCD
Member Posts: 475 ■■■■□□□□□□
Having issue ping through ASA. It real equipment using version 9.1 of the software. From the ASA I can ping the PC and router and from both the PC and Router I can ping the ASA. I'm missing something but I can't see it right now. Thanks for the help.
ciscoasa# sh route
C 10.0.0.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, Inside
d* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
ciscoasa# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa# sh arp
outside 10.0.0.1 xxxx.xxxx.xxxx 11
Inside 192.168.1.2 xxxx.xxxx.xxxx 2
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 10.0.0.14 YES DHCP up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 192.168.1.1 YES manual up up
Management0/0 unassigned YES unset administratively down down
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-group 101 in interface outside
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
ciscoasa# sh route
C 10.0.0.0 255.255.255.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, Inside
d* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
ciscoasa# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa# sh arp
outside 10.0.0.1 xxxx.xxxx.xxxx 11
Inside 192.168.1.2 xxxx.xxxx.xxxx 2
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 10.0.0.14 YES DHCP up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 192.168.1.1 YES manual up up
Management0/0 unassigned YES unset administratively down down
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-group 101 in interface outside
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
Comments
-
NetworkDude Registered Users Posts: 1 ■■□□□□□□□□You need to inspect ICMP in order for your pings to work.
under global policy in class inspection_default.... inspect icmp and inspect icmp err. -
DCD Member Posts: 475 ■■■■□□□□□□Thank you NetworkDude. I did finally add it to the inspection_default policy but I thought I could just use access-list. Maybe that was good for older version of the software.
-
rocdamike Member Posts: 32 ■■□□□□□□□□You can just use an access-list to allow ICMP without enabling ICMP inspection in the policy map. However, you are required to add a permit access-list control entry for the *response* traffic (in addition to a an access-list control entry for the *request* traffic)
By enabling ICMP inspection in the policy map, you are basically telling the ASA to keep track of the connection in its state table and automatically allow the ICMP echo reply through without the need for an ACE for the response straffic.
On a side note, if you do not add any access lists on the ASA at all and wish to rely on its in-built feature of permitting traffic from a higher security level interface to a lower level security interface, you would still need to enable ICMP inspection in the policy map, otherwise the response traffic will not be allowed through. -
BobMead Member Posts: 55 ■■■□□□□□□□another quick tip to turn on icmp is fixup protocol icmpPress RETURN to get started
:roll: