Ping through ASA

Answered Question
Dec 5th, 2009
User Badges:

i have a problem as i permitted PING by the following commands:


icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside


i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)


and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??


Thanks In Advance


Ayman Yehia

Correct Answer by Conor Cunningham about 7 years 5 months ago

Hi Yehia,


I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.



On my ASA 5505 in my home lab I have the following;


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

!

!

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global


Hope that helps.


Conor

Correct Answer by Jon Marshall about 7 years 5 months ago

207558867 wrote:


i have a problem as i permitted PING by the following commands:


icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside


i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)


and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??


Thanks In Advance


Ayman Yehia


Ayman


The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.


Have a look at this document which covers how to allow ping through an ASA/Pix firewall -


ASA ping


Can the interfaces ping each other - no they can't.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 12/05/2009 - 15:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

207558867 wrote:


i have a problem as i permitted PING by the following commands:


icmp permit any echo admin-outside
icmp permit any echo-reply admin-outside
icmp permit any echo admin-inside
icmp permit any echo-reply admin-inside


i can ping from outside (PC) to the inside (PC) but i can't ping from the inside(PC) to the outside(PC)


and another question can the interfaces of the firewall ping each outher if i used Extended ping on the firewall -- because in this status both interfaces are not pingging each other too ??


Thanks In Advance


Ayman Yehia


Ayman


The "icmp permit ..." command controls who interfaces on the firewall can be pinged not which devices can ping through the firewall.


Have a look at this document which covers how to allow ping through an ASA/Pix firewall -


ASA ping


Can the interfaces ping each other - no they can't.


Jon

Correct Answer
Conor Cunningham Sun, 12/06/2009 - 11:56
User Badges:

Hi Yehia,


I believe you need to add ICMP to your inspection policy-map.After I issued 'inspect icmp' from within my policy-map it worked.



On my ASA 5505 in my home lab I have the following;


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512

!

!

policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global


Hope that helps.


Conor

ayman emara Sun, 12/06/2009 - 23:54
User Badges:

Thanks alot adding the ICMP to the inspection already did it

Actions

This Discussion