jklogic.net » ICMP http://jklogic.net logical reality Tue, 07 Oct 2008 19:43:58 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Cisco ASA and ICMP Configurations http://jklogic.net/cisco-asa-and-icmp-configurations/ http://jklogic.net/cisco-asa-and-icmp-configurations/#comments Tue, 19 Feb 2008 15:59:50 +0000 James http://jklogic.net/cisco-asa-and-icmp-configurations/ As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.

Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply

Then apply the access-list to the outside interface.

access-group OUTSIDE_IN_ACL in interface outside

This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.

access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded

Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside

Now all we need to do is allow echo into the network.

access-list OUTSIDE_IN_ACL permit icmp any any echo

Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.

static (dmz,outside) PUBLIC_IP DMZ_IP netmask 255.255.255.255

Of course, you will need to have a static mapping for every server you want to have reachable from the internet.

Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.

global_policy:

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global

To add icmp inspection.

FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
]]> http://jklogic.net/cisco-asa-and-icmp-configurations/feed/ 56