Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
5
Replies

ASA Firewall 5520

Alfredo Bosca Bataller
Level 1
Level 1

‎02-28-2014 02:15 AM - edited ‎03-11-2019 08:51 PM

Good moning from Spain,

I am in my first steps about ASA Firewalling. My issue is that have created a ACL to permit the traffic between inside zone to outside zone but don't work the ping between 192.168.0.2 to 172.16.0.1.

Attach the simple topology.

access-list inside extended permit ip any interface outside
access-group inside in interface inside

ASA Version 8.0(2)
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 172.16.0.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside extended permit ip any interface outside
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username alfredo password lu1LhTMEN9oBa4C3 encrypted privilege 15
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956       

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
Labels:
Preview file
24 KB
0 Helpful
5 Replies 5

kcnajaf
Level 7
Level 7

‎02-28-2014 03:06 AM

Hi Alfredo,

I'm not a firewall guy but still :-)

Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .

I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default

So two ways to make this work.

In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.

or

Try adding  a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.

Some thing like this

access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply

access-group ICMP in interface outside

Hope that help.

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

Alfredo Bosca Bataller
Level 1
Level 1
In response to kcnajaf

‎02-28-2014 11:50 AM

I have configured your advices but don't work ping (echo-reply).

I have write:

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded




access-group OUTSIDE_IN_ACL in interface outside

Permit PING and TRACERT services.

Don't work pinging:

All configuration:

ASA# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 172.16.0.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN_ACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end


Najaf KC escribió:
Hi Alfredo,
I'm not a firewall guy but still :-)
Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. . 
I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default
So two ways to make this work.
In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.
or
Try adding  a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.
Some thing like this
access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply
access-group ICMP in interface outside
Hope that help.
Regards
Najaf
Please rate when applicable or helpful !!!

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
0 Helpful

kcnajaf
Level 7
Level 7
In response to Alfredo Bosca Bataller

‎02-28-2014 09:30 PM

Hi Alfredo,

Opps my mistake..I didnt realise that you are pinging the ASA interface itself :-( My siggestion was based on the assumtion that you where trying to ping the outside ISP router interface on the diagram. I hope that you are able to ping the ISP router interface from the inside host with my suggested configurations.

Vishaw is correct here with regards to the ASA interface ping.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

vishaw jasrotia
Level 1
Level 1

‎02-28-2014 03:29 AM

Hello,

As per fire default policy , U can't the firewall interface IP from the other interface subnet.

As in your case u are accessing the outside interface IP form inside zone subnet (192.168.0.2 to 172.16.0.1).

So its not pinging.

We can ping the interface IP form respective interface subnet only.

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to vishaw jasrotia

‎03-01-2014 01:48 AM

By default the ASA will drop to the box ICMP packets to interfaces that are not the ingress interface, even if there is an ACL permitting such traffic.  You would need to add the following command instead.

permit icmp

So since you are trying to ping the outside interface from subnet 192.168.0.0/24 you would need to add the following command.

permit icmp 192.168.0.0 255.255.255.0 outside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card