12-23-2012 09:08 AM - edited 03-11-2019 05:40 PM
Hi All,
I have an issue with allowing ICMP from outside to inside. Inside to Outside works great.
I would really appreciate if someone could give me some advise.
Thanks for all your help!!
r13 (210.1.1.2) >>>>>>>>>>>>>>>> (210.1.1.1) outside ASA inside (172.20.1.2)>>>>>>>>>>>(172.20.1.1) r7
Please find extract from show config from ASA:
Result of the command: "show run"
: Saved
:
ASA Version 8.0(2)
!
names
name 192.168.0.0 external description externalpingable
!
interface Ethernet0/0
nameif management
security-level 100
ip address 172.20.1.2 255.255.255.248
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 210.1.1.1 255.255.255.252
!
!
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object external 255.255.0.0
network-object 210.1.1.0 255.255.255.252
access-list from_outside extended permit icmp any any echo
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable
icmp unreachable rate-limit 1 burst-size 1
global (outside) 101 interface
nat (management) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 210.1.1.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.1.1 255.255.255.255 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect snmp
inspect tftp
!
service-policy global-policy global
Solved! Go to Solution.
12-23-2012 09:23 AM
Is it icmp/echo that you want to allow in?
Then you have to migrate the "from_outside"-ACL into the ACL that is bound to the outside-interface:
access-list outside_access_in extended permit icmp any any echo
In addition you need a static translation for the systems that you want to ping from outside.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-23-2012 10:32 AM
When communicating from the lower to the higher security-level you need a static translation for the server that should be reachable.
Or do you just want to give r13 the possibility to communicate to r7? Then the ACL is all you need on the ASA. But r13 needs a route to the network 172.20.1.0/29.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-23-2012 09:23 AM
Is it icmp/echo that you want to allow in?
Then you have to migrate the "from_outside"-ACL into the ACL that is bound to the outside-interface:
access-list outside_access_in extended permit icmp any any echo
In addition you need a static translation for the systems that you want to ping from outside.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-23-2012 09:43 AM
Thanks for your feedback.
I ll try and let you know
12-23-2012 10:16 AM
Hi,
Do you want me to apply static NAT to inside host on its way out? Not sure how this can help.
Could you please clarify?
Thanks
12-23-2012 10:32 AM
When communicating from the lower to the higher security-level you need a static translation for the server that should be reachable.
Or do you just want to give r13 the possibility to communicate to r7? Then the ACL is all you need on the ASA. But r13 needs a route to the network 172.20.1.0/29.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-23-2012 11:28 AM
Hi,
Karsten thanks for your reply.
I applied ACL and static routing but it still isnt working.
I can see hits against ACL and translations/ untranslations but ping still fails.
My runn conf looks like this:Result of the command: "show run"
Any ideas?
names
name 192.168.0.0 external description externalpingable
!
interface Ethernet0/0
nameif management
security-level 100
ip address 172.20.1.2 255.255.255.248
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 210.1.1.1 255.255.255.252
!
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object external 255.255.0.0
network-object 210.1.1.0 255.255.255.252
access-list from_outside extended permit icmp any any echo
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 172.20.1.0 255.255.255.248 log disable
icmp unreachable rate-limit 1 burst-size 1
global (outside) 101 interface
nat (management) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 210.1.1.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.1.1 255.255.255.255 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect snmp
inspect tftp
!
service-policy global-policy global
12-23-2012 11:37 AM
Sorry my bad. my access list was still ponting to internal host.
Thanks!!! all good now!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide