Forbidden - You do not have permission to access this document??

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
in CCNP Security
why do I keep on getting this..i cant post anything or any code to my account
why is this happen??????? why wont it take my code?? examples??
and how do yu put this in quotes I have tried using
but it doesnt work for me what is up?thanks
· Share on FacebookShare on Twitter

Comments

  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Do a show run icmp:
    FW1# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any DMZ
icmp permit any Inside

    If you have any icmp permit statements like you see above then you'll want to look into those. You don't have to allow or deny ICMP using the ACL attached to your outside interface. If you have both statements I do NOT know which one will prevail or how they will affect each other.
    · Share on FacebookShare on Twitter
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    You are the man cisco_trooper the man!
    no wonder they call you cisco_trooper

    this is what i did and it works just like you said:
    I did have to make and ACL permit any any icmp then it worked.
    but i change my icmp configs to this and it works
    outbound from my lan pings anything and you cannot ping my itdaddy.net no more
    freaking awesome thank you so much I appreciate you and your skills.

    Robert ;)

    asa(config)# sh run icmp
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp deny any outside
    asa(config)#
    · Share on FacebookShare on Twitter
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Actually in reference to a few posts you need to understand that nothing is coming from the Outside In unless you specifically allow it. You don't need an ACL entry to deny, you just don't permit it, that's the essence of a stateful firewall.

    Now with ICMP the safest/easiest thing to do is statefully inspect it, this will allow pings/traceroutes to return safely but deny anything not initiated from the inside without the need for specific ACL entries from windows hosts at least, since *nix and Cisco tend to use UDP traceroutes you'll need specific returning ICMP ACEs (echo-reply, unreachable, time-exceeded) as there's no outbound ICMP for the firewall to statefully track. Whatever you do take the permit icmp any any off your outside ACL.

    policy-map global_policy
    class inspection_default
    inspect icmp
    inspect icmp error
    exit
    exit

    ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Ahriakin wrote: »
    ICMP PERMIT/DENY (int) statements refer to the ASA's own interfaces only, not protected hosts.

    +1
    This is true and I thought that was what we were doing.
    itdaddy wrote: »
    I am trying to stop pings from coming
    to my asa from public
    · Share on FacebookShare on Twitter
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    Why do I keep getting this when I post comments and replies help!

    Forbidden
    You do not have permission to access this document.


    Web Server at techexams.net
    · Share on FacebookShare on Twitter
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    itdaddy wrote: »
    Why do I keep getting this when I post comments and replies help!

    Forbidden
    You do not have permission to access this document.


    Web Server at techexams.net

    Just sent you a PM.
    LinkedIn - FaceBook
    · Share on FacebookShare on Twitter
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    webmaster

    got it thankyou i will watch my language ahaha;)
    thanks
    robert;)

    icon_cheers.gif
    · Share on FacebookShare on Twitter
Sign In or Register to comment.