R1 wants to ping to R3 but is not able to ping. By default CISCO ASA doesn’t inspect icmp it means that if you want to ping to some server from LAN ping reply will not come. To allow ping through ASA there are two solution
1> Create ACL for return traffic but is not recommended.
2> Start inspecting icmp traffic.
To inspect ICMP you want either inspect ICMP globally or we can inspect ICMP for some specific subnet/host:
- Create a ACL to specify which traffic to inspect for ICMP.
ASA(config)#access-list icmp-allow extended permit icmp 220.127.116.11 255.255.255.0 18.104.22.168 255.255.255.0
- Create a L3/L4 class map and specify the access list:
ASA(config)#class-map CMAP ASA(config-cmap)# match access-list icmp-allow
- Create policy map and call the created class map inside it and tell to inspect icmp.
ASA(config)#policy-map PMAP ASA(config-pmap)# class CMAP ASA(config-pmap-c)# inspect icmp
- Apply the policy map with the helpof serivce policy on the interface where the icmp traffic will hit. In this example we will apply on inside interface.
ASA(config)# service-policy PMAP interface inside