Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Pings thru ASA/PIX 7.x

got one more question relating to ICMP - with icmp inspection enabled , when pinging from outside host to an inside host or from inside host to outside host - is it required to explicitly permit the return icmp traffic ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Pings thru ASA/PIX 7.x

Upsolutely, with icmp inspect even if you have acl permiting icmp it will pass through ICMP inspection engine, applies also in transparent mode or multiple context 7.x., guidelines is to use icmp inspection engine.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749

4 REPLIES

Re: Pings thru ASA/PIX 7.x

Vikram, please refer to this link to learn how inbound and outbound icmp requests works for both PIX code 6.x and ASA 7.x.

To ping a host inside your net from outside you have to permit echos, this assumes there is a static NAT for the intended inside host to be pinged.

To ping from inside to outside two ways to do it.

Quote from link!

Either build an acl

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

or

policy-map global_policy

class inspection_default

inspect icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Re: Pings thru ASA/PIX 7.x

This link specifically refers to pinging a outside host from inside.

As you have mentioned with echoes allowed on the outside interface in the inward direction and icmp inspection turned on . The echo-reply from the inside host - will it pass thru the inspection engine or the acl on the inside interface in the inward direction.

Hope you got my question & will this be any different in transparent firewall's ?

Re: Pings thru ASA/PIX 7.x

Upsolutely, with icmp inspect even if you have acl permiting icmp it will pass through ICMP inspection engine, applies also in transparent mode or multiple context 7.x., guidelines is to use icmp inspection engine.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749

Re: Pings thru ASA/PIX 7.x

Thanks, I have rated your post

369
Views
5
Helpful
4
Replies
CreatePlease to create content