Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Allow ICMP through Cisco ASA

Hi, This document is for the freashears who is tryig to allow ICMP through the ASA for the first time.

Router-1:

int f0/0

ip add 10.0.0.2 255.255.255.0

int f0/1

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (Pointing towards Firewall)

Router-2:

int f0/0

ip add 172.16.1.2 255.255.255.0

ip route 192.168.1.0 255.255.255.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ASA:

interface e0/0

ip address 10.0.0.1 255.255.255.0

nameif inside

security-level 100

interface e0/1

ip address 172.16.1.1 255.255.255.0

nameif outside

security-level 0

route inside 192.168.1.0 255.255.255.0 10.0.0.2

route outside 0.0.0.0 0.0.0.0 172.16.0.2

------ Above is the basic configuration to be done in ASA ----------

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

To enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.

Version history
Revision #:
1 of 1
Last update:
‎06-14-2013 10:26 AM
Updated by:
 
Labels (1)
Comments
New Member

Is there a way to allow a ping from the inside to an outside router from only one IP address or subnet?

New Member

Should "route outside 0.0.0.0 0.0.0.0 172.16.0.2" not be "route outside 0.0.0.0 0.0.0.0 172.16.1.2"?

 

Router 2 doesn't have a 172.16.0.2 interface IP.

 

D