Options
Forbidden - You do not have permission to access this document??
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
why do I keep on getting this..i cant post anything or any code to my account
why is this happen??????? why wont it take my code?? examples??
and how do yu put this in quotes I have tried using
why is this happen??????? why wont it take my code?? examples??
and how do yu put this in quotes I have tried using
but it doesnt work for me what is up?thanks
Comments
-
Options
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
Do a show run icmp:FW1# show run icmp icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any DMZ icmp permit any Inside
If you have any icmp permit statements like you see above then you'll want to look into those. You don't have to allow or deny ICMP using the ACL attached to your outside interface. If you have both statements I do NOT know which one will prevail or how they will affect each other. -
Optionsitdaddy
Member Posts: 2,089 ■■■■□□□□□□
You are the man cisco_trooper the man!
no wonder they call you cisco_trooper
this is what i did and it works just like you said:
I did have to make and ACL permit any any icmp then it worked.
but i change my icmp configs to this and it works
outbound from my lan pings anything and you cannot ping my itdaddy.net no more
freaking awesome thank you so much I appreciate you and your skills.
Robert
asa(config)# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asa(config)# -
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Actually in reference to a few posts you need to understand that nothing is coming from the Outside In unless you specifically allow it. You don't need an ACL entry to deny, you just don't permit it, that's the essence of a stateful firewall.
Now with ICMP the safest/easiest thing to do is statefully inspect it, this will allow pings/traceroutes to return safely but deny anything not initiated from the inside without the need for specific ACL entries from windows hosts at least, since *nix and Cisco tend to use UDP traceroutes you'll need specific returning ICMP ACEs (echo-reply, unreachable, time-exceeded) as there's no outbound ICMP for the firewall to statefully track. Whatever you do take the permit icmp any any off your outside ACL.
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit
ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Optionscisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.
+1
This is true and I thought that was what we were doing.I am trying to stop pings from coming
to my asa from public -
Optionsitdaddy
Member Posts: 2,089 ■■■■□□□□□□
Why do I keep getting this when I post comments and replies help!
Forbidden
You do not have permission to access this document.
Web Server at techexams.net -
Options
Webmaster
Admin Posts: 10,292 Admin
Why do I keep getting this when I post comments and replies help!
Forbidden
You do not have permission to access this document.
Web Server at techexams.net
Just sent you a PM. -
Optionsitdaddy
Member Posts: 2,089 ■■■■□□□□□□
webmaster
got it thankyou i will watch my language ahaha;)
thanks
robert;)
