Forbidden - You do not have permission to access this document??

why do I keep on getting this..i cant post anything or any code to my account
why is this happen??????? why wont it take my code?? examples??
and how do yu put this in quotes I have tried using

but it doesnt work for me what is up?thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

cisco_trooper

Do a show run icmp:

FW1# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any DMZ
icmp permit any Inside

If you have any icmp permit statements like you see above then you'll want to look into those. You don't have to allow or deny ICMP using the ACL attached to your outside interface. If you have both statements I do NOT know which one will prevail or how they will affect each other.

itdaddy

You are the man cisco_trooper the man!
no wonder they call you cisco_trooper

this is what i did and it works just like you said:
I did have to make and ACL permit any any icmp then it worked.
but i change my icmp configs to this and it works
outbound from my lan pings anything and you cannot ping my itdaddy.net no more
freaking awesome thank you so much I appreciate you and your skills.

Robert

asa(config)# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asa(config)#

Ahriakin

Actually in reference to a few posts you need to understand that nothing is coming from the Outside In unless you specifically allow it. You don't need an ACL entry to deny, you just don't permit it, that's the essence of a stateful firewall.

Now with ICMP the safest/easiest thing to do is statefully inspect it, this will allow pings/traceroutes to return safely but deny anything not initiated from the inside without the need for specific ACL entries from windows hosts at least, since *nix and Cisco tend to use UDP traceroutes you'll need specific returning ICMP ACEs (echo-reply, unreachable, time-exceeded) as there's no outbound ICMP for the firewall to statefully track. Whatever you do take the permit icmp any any off your outside ACL.

policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit

ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.

cisco_trooper

Ahriakin wrote: »

ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.

+1
This is true and I thought that was what we were doing.

itdaddy wrote: »

I am trying to stop pings from coming
to my asa from public

itdaddy

Why do I keep getting this when I post comments and replies help!

Forbidden
You do not have permission to access this document.

Web Server at techexams.net

Webmaster

itdaddy wrote: »

Why do I keep getting this when I post comments and replies help!

Forbidden
You do not have permission to access this document.

Web Server at techexams.net

Just sent you a PM.

itdaddy

webmaster

got it thankyou i will watch my language ahaha;)
thanks
robert;)