In ASA post 8.3 all ICMP is blocked is that right.......i know that ICMP is blocked from high security level to lower security level....is that right for sake of example my inside is 100 and outside is 0 so by default if i have to ping yahoo.com i would not be bale to do it????
this glocal inspection stuff default where you add icmp will that makeit work or do i have to do access-list......secondly what is teh rule from low security to high security for icmp.....if i have a VPN and my client get IP from the pool which i have specified will that be able to ping my inside interface otr host on insdie interface or do i have to add access list???
For ICMP (where we only look at ping now) you have to differentiate three different scenarios:
1) Ping to the ASA Is actually always allowed unless you restrict it. There was a release long time ago (was it in the 6-releases? I don't remember) that denied ping on the outside interface, but that was an exception.
2) Ping through the ASA without VPN Here, Ping is a a packet like anything else. It has to be inspected to automatically allow return-traffic. This inspection is on by default for TCP and UDP but not for ICMP. The way to allow it is to enable the inspection and not to use an ACL-entry for that. The problem with the ACL-approach is that the echo-replys were also allowed if there was no initiating request. The initial packet of course needes to be allowed by ACL or by security-level.
3) Ping through a VPN Here by default all traffic is allowed what is coming from the VPN and we have two ways to control that. The more modern way is to use VPN-filter with the problem that these can not be configured per direction. The old way (which was the only way years ago on the PIX) was that every new session that came from the VPN was compared against the ACL on the VPN-terminating interface where it had to be allowed. Also today it is possible to restore this old behaviour.
Sent from Cisco Technical Support iPad App
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...