Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA Firewall 5520

Good moning from Spain,

I am in my first steps about ASA Firewalling. My issue is that have created a ACL to permit the traffic between inside zone to outside zone but don't work the ping between 192.168.0.2 to 172.16.0.1.

Attach the simple topology.

access-list inside extended permit ip any interface outside

access-group inside in interface inside

ASA Version 8.0(2)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list inside extended permit ip any interface outside

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

username alfredo password lu1LhTMEN9oBa4C3 encrypted privilege 15

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956       

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
5 REPLIES
Gold

Re: ASA Firewall 5520

Hi Alfredo,

I'm not a firewall guy but still :-)

Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .

I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default

So two ways to make this work.

In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.

or

Try adding  a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.

Some thing like this

access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply

access-group ICMP in interface outside

Hope that help.

Regards

Najaf

Please rate when applicable or helpful !!!

ASA Firewall 5520

I have configured your advices but don't work ping (echo-reply).

I have write:

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded

access-group OUTSIDE_IN_ACL in interface outside

Permit PING and TRACERT services.

Don't work pinging:

All configuration:

ASA# show run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUTSIDE_IN_ACL in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

Najaf KC escribió:

Hi Alfredo,

I'm not a firewall guy but still :-)

Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .

I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default

So two ways to make this work.

In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.

or

Try adding  a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.

Some thing like this

access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply

access-group ICMP in interface outside

Hope that help.

Regards

Najaf

Please rate when applicable or helpful !!!

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956

http://networkingcontrol.wordpress.com/ #CCNP CSCO11962956
Gold

Re: ASA Firewall 5520

Hi Alfredo,

Opps my mistake..I didnt realise that you are pinging the ASA interface itself :-( My siggestion was based on the assumtion that you where trying to ping the outside ISP router interface on the diagram. I hope that you are able to ping the ISP router interface from the inside host with my suggested configurations.

Vishaw is correct here with regards to the ASA interface ping.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

New Member

Re: ASA Firewall 5520

Hello,

As per fire default policy , U can't the firewall interface IP from the other interface subnet.

As in your case u are accessing the outside interface IP form inside zone subnet (192.168.0.2 to 172.16.0.1).

So its not pinging.

We can ping the interface IP form respective interface subnet only.

Thanks

VIP Green

Re: ASA Firewall 5520

By default the ASA will drop to the box ICMP packets to interfaces that are not the ingress interface, even if there is an ACL permitting such traffic.  You would need to add the following command instead.

permit icmp

So since you are trying to ping the outside interface from subnet 192.168.0.0/24 you would need to add the following command.

permit icmp 192.168.0.0 255.255.255.0 outside

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
147
Views
0
Helpful
5
Replies
CreatePlease login to create content