I've recently deployed a Cisco 5510 Security Plus (8.2.1) to a small company; I've the basics working, but just need to close off some further configurations. I have a couple of issues, but thought I'd start off with the most basic.
I'm trying to ping from INSIDE (from 10.84.x.x hosts, which are routed via separate router @ 10.84.0.1/126.96.36.199 to the Cisco ASA @ 188.8.131.52) to any machine on the OUTSIDE.
I have ICMP enabled in the default inspection map, however pings are still timing out, and I'm seeing the following in the logging (when pinging news.bbc.co.uk from my own desktop):
So the ASA is dropping the traffic due to that ACL, despite the fact there's a default ICMP inspection in play. Is there any reason why the ACL may override the inspection? If it makes any difference, dynamic NAT in play between the internal 10.84.x.x subnet and the external interface.
I've attached a sanitised copy of my running config. Apologies if it is difficult to read, or if I haven't provided enough information here; I'm fairly new to Cisco and the running configuration is very much a work in progress.
I'm not sure I totally understand this, surely all ASA's will require some sort of ACLs to filter traffic, and therefore ICMP inspection will always be overridden by the ACLs therefore rending inspection useless in the majority of cases?
Or perhaps I misunderstand inspections in general; I thought they should bypass the need for ACLs, but are they actually purely used to allow translations, despite the fact I have a dynamic NAT implemented which I thought would handle it. Strangely, if I disable the ICMP inspection and instead create 'any icmp' rules in the ACLs, pings do begin to work...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :