Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
3
Replies

unable to ping from MZ to firewall

dhanikonda
Level 1
Level 1

‎04-24-2012 10:58 PM - edited ‎03-11-2019 03:57 PM

Dear All,

I am unable to ping from MZ zone to firewall ip please any body can advice me how to enable ping

i have my spectrum server 10.242.103.42 on MZ zone having security leval 70 and firewall inside ip 10.142.101.100 having security leval 100,now iam unable to ping from spectrum server to my firewalll inside ip.

can any body help me.

Thanks

Srinivas

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-25-2012 12:54 AM

Hi,

To my understanding you can ping Cisco firewalls interface IP behind another interface.

Meaning you can ping an interface IP as long as the host is behind that interface.

For ICMP to work between hosts on 2 different interfaces please check that you have the access-list allowing it and you have the following configuration

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

0 Helpful

gaurav bhardwaj
Level 1
Level 1
In response to Jouni Forss

‎04-25-2012 02:07 AM

by default icmp is deny passage from low security to hight security levelwhen,one host send icmp request to any host it goes to port 0 and when icmp reply come back then it come to port 8..so because the asa use stateful packet incepection,the host does no see the reachability  by ping 

if you want to  you want to deploy an access-list

access-list 101 permit icmp any any or any perticular host

access-group 101 in MZ

but

it give you less secuirty

0 Helpful

gaurav bhardwaj
Level 1
Level 1
In response to gaurav bhardwaj

‎04-25-2012 03:07 AM

A better solution is to enable the ICMP inspector. ICMP is not a stateful protocol at all,

but the ASA can infer enough information to make it seem stateful. The ICMP inspector

can selectively (and automatically) open a “connection” to permit return traffic based on

the original outbound requests. It will permit only one response to return for every

request that is sent out. The ICMP sequence numbers must also match between a request

and a reply packet. With “stateful” ICMP inspection, the ICMP connections and xlate

entries can be quickly torn down as soon as the appropriate reply is received.

You can enable ICMP inspection as an action within a policy map by using the inspect

icmp command. By default, the ICMP inspector does not permit any ICMP error packets

to return. This is because an ICMP error message can be sent from an address other than

the original ICMP target. You can use the inspect icmp error command to enable ICMP

error processing as part of ICMP inspection.

Example 9-10 shows how ICMP and ICMP error inspection can be enabled globally,

within the global_policy policy map.

Example 9-10 Enabling ICMP and ICMP Error Inspection Globally

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class inspection_default

ciscoasa(config-pmap-c)# inspect icmp

ciscoasa(config-pmap-c)# inspect icmp error

ciscoasa(config-pmap-c)# exit

ciscoasa(config-pmap)# exit

ciscoasa(config)#

hope it will help you

let us know if it does not work

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card