Allow ping through ASA

icmp-through-asa

R1 wants to ping to R3 but is not able to ping. By default CISCO ASA doesn’t inspect icmp it means that if you want to ping to some server from LAN ping reply will not come. To allow ping through ASA there are two solution

1> Create ACL for return traffic but is not recommended.
2> Start inspecting icmp traffic.

To inspect ICMP you want either inspect ICMP globally or we can inspect ICMP for some specific subnet/host:

  1. Create a ACL to specify which traffic to inspect for ICMP.
    ASA(config)#access-list icmp-allow extended permit icmp 11.11.11.0 255.255.255.0 13.13.13.0 255.255.255.0
  2. Create a L3/L4 class map and specify the access list:
    ASA(config)#class-map CMAP
    ASA(config-cmap)# match access-list icmp-allow
  3. Create policy map and call the created class map inside it and tell to inspect icmp.
    ASA(config)#policy-map PMAP
    ASA(config-pmap)# class CMAP
    ASA(config-pmap-c)# inspect icmp
  4. Apply the policy map with the helpof serivce policy on the interface where the icmp traffic will hit. In this example we will apply on inside interface.
    ASA(config)# service-policy PMAP interface inside
Advertisements
This entry was posted in ASA and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s