02-28-2014 02:15 AM - edited 03-11-2019 08:51 PM
Good moning from Spain,
I am in my first steps about ASA Firewalling. My issue is that have created a ACL to permit the traffic between inside zone to outside zone but don't work the ping between 192.168.0.2 to 172.16.0.1.
Attach the simple topology.
access-list inside extended permit ip any interface outside
access-group inside in interface inside
ASA Version 8.0(2)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.0.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside extended permit ip any interface outside
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username alfredo password lu1LhTMEN9oBa4C3 encrypted privilege 15
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956
02-28-2014 03:06 AM
Hi Alfredo,
I'm not a firewall guy but still :-)
Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .
I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default
So two ways to make this work.
In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.
or
Try adding a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.
Some thing like this
access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply
access-group ICMP in interface outside
Hope that help.
Regards
Najaf
Please rate when applicable or helpful !!!
02-28-2014 11:50 AM
I have configured your advices but don't work ping (echo-reply).
I have write:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
Permit PING and TRACERT services.
Don't work pinging:
All configuration:
ASA# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.0.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN_ACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
Najaf KC escribió:
Hi Alfredo,
I'm not a firewall guy but still :-)
Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .
I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default
So two ways to make this work.
In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.
or
Try adding a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.
Some thing like this
access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply
access-group ICMP in interface outside
Hope that help.
Regards
Najaf
Please rate when applicable or helpful !!!
http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956
02-28-2014 09:30 PM
Hi Alfredo,
Opps my mistake..I didnt realise that you are pinging the ASA interface itself :-( My siggestion was based on the assumtion that you where trying to ping the outside ISP router interface on the diagram. I hope that you are able to ping the ISP router interface from the inside host with my suggested configurations.
Vishaw is correct here with regards to the ASA interface ping.
Hope that helps.
Regards
Najaf
Please rate when applicable or helpful !!!
02-28-2014 03:29 AM
Hello,
As per fire default policy , U can't the firewall interface IP from the other interface subnet.
As in your case u are accessing the outside interface IP form inside zone subnet (192.168.0.2 to 172.16.0.1).
So its not pinging.
We can ping the interface IP form respective interface subnet only.
Thanks
03-01-2014 01:48 AM
By default the ASA will drop to the box ICMP packets to interfaces that are not the ingress interface, even if there is an ACL permitting such traffic. You would need to add the following command instead.
permit icmp
So since you are trying to ping the outside interface from subnet 192.168.0.0/24 you would need to add the following command.
permit icmp 192.168.0.0 255.255.255.0 outside
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: