Solved

How to allow ping from inside interface to dmz interface on a Cisco ASA 5505

Posted on 2009-06-29
2
1,070 Views
Last Modified: 2013-11-29
Hi all,

I've a server in our DMZ that I would like to ping so I can monitor up time effectively.

It seems Cisco block ICMP by default, but my efforts using the graphical interface to change this have been invain. Please help - I've attached by config file below.

Many thanks - Mike
: Saved

:

ASA Version 7.2(3) 

!

hostname blah

domain-name ####

enable password #### encrypted

names

name 172.18.231.0 IPVPN

name 172.18.241.5 CONDIR 

name 172.19.0.3 DMZ-SMTP 

name 172.19.0.4 DMZ-SFTP 

name 172.19.0.5 DMZ-FTP 

name 172.18.200.2 RIGEL

name 172.18.200.4 CAPELLA 

name 172.19.0.7 GSTAR 

name 172.18.200.14 CRM

name 172.18.200.13 Sharepoint

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.18.0.2 255.255.0.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 123.456.789.111 255.255.255.240 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 172.19.0.2 255.255.255.0 

!

interface Vlan13

 nameif pdmz

 security-level 100

 ip address 172.10.0.2 255.255.0.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 switchport access vlan 13

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd #### encrypted

ftp mode passive

dns domain-lookup dmz

dns server-group DefaultDNS

 domain-name #####

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service StndInternet tcp

 port-object eq ftp

 port-object eq ftp-data

 port-object eq www

 port-object eq https

access-list outside_access_in 

access-list outside_access_in extended deny ip host #### any 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq smtp 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host Sharepoint eq https 

access-list outside_access_in 

access-list outside_access_in  

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 8001 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp-data 

access-list outside_access_in 

access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 2773 

access-list outside_access_in extended permit tcp host 123.456.789.111 host 172.18.230.97 range 6000 60063 inactive 

access-list outside_access_in 

access-list outside_access_in extended deny ip host ##### any 

access-list outside_access_in 

access-list outside_access_in 

access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any IPVPN 255.255.255.0 

access-list inside_nat0_outbound extended permit ip host CONDIR host #### 

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 

access-list VPNNET_splitTunnelAcl standard permit host 123.456.789.111 

access-list VPN_splitTunnelAcl standard permit any 

access-list inside_outbound_nat_acl extended permit ip any IPVPN 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip any IPVPN 255.255.255.0 

access-list outside_1_cryptomap extended permit ip host CONDIR host #### 

access-list outside_2_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 

access-list dmz_access_in extended permit ip any any 

access-list dmz_access_out extended permit ip any any 

access-list pdmz_access_out extended permit tcp any host RIGEL 

access-list acl_pdmz_to_inside extended permit ip any any 

access-list pdmz_in extended permit ip any any 

access-list pdmz_access_out_1 extended permit ip any interface inside inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded inactive 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo inactive 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu pdmz 1500

ip local pool IPVPN 172.18.231.1-172.18.231.254

no failover

monitor-interface inside

monitor-interface outside

monitor-interface dmz

monitor-interface pdmz

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.18.0.0 255.255.0.0

nat (dmz) 1 172.19.0.0 255.255.0.0

nat (pdmz) 1 172.10.0.0 255.255.0.0

static (dmz,outside) 123.456.789.111 DMZ-SFTP netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 DMZ-FTP netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 RIGEL netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 CAPELLA netmask 255.255.255.255 

static (inside,dmz) 123.456.789.111 172.18.0.0 netmask 255.255.0.0 

static (inside,dmz) 123.456.789.111 DMZ-SMTP netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 GSTAR netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 CRM netmask 255.255.255.255 

static (inside,outside) 123.456.789.111 Sharepoint netmask 255.255.255.255 

static (dmz,outside) 123.456.789.111 172.19.0.2 netmask 255.255.255.255 

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

access-group pdmz_in in interface pdmz

access-group pdmz_access_out out interface pdmz

route outside 0.0.0.0 0.0.0.0 123.456.789.111 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

filter java 81 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 

filter activex 813 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 

http server enable

http 172.18.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs 

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs 

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs 

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs 

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs 

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs 

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer ####

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer ####

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.18.0.3-172.18.1.2 inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect h323 ras 

  inspect pptp 

!

service-policy global_policy global

group-policy NETWORK internal

group-policy NETWORK attributes

 wins-server value 172.18.200.1

 dns-server value 172.18.200.1

 vpn-tunnel-protocol IPSec 
 

 vpn-group-policy NETWORK
 
 

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group NETWORK type ipsec-ra

tunnel-group NETWORK general-attributes

 address-pool IPVPN

 default-group-policy NETWORK

tunnel-group NETWORK ipsec-attributes

 pre-shared-key *

tunnel-group 123.456.789.111 type ipsec-l2l

tunnel-group 123.456.789.111 ipsec-attributes

 pre-shared-key *

tunnel-group 123.456.789.111 type ipsec-l2l

tunnel-group 123.456.789.111 ipsec-attributes

 pre-shared-key *

smtp-server 172.18.200.2

prompt hostname context 

Cryptochecksum:585c0c1b2348587143153660a223357a

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
Comment
Question by:capcap
2 Comments
 
LVL 1

Expert Comment

by:munir_hayat
Comment Utility
Simply configure the below ACL this will solve your problem

access-list in_access_out extended permit ip any any
access-group in_access_out in interface outside
0
 
LVL 6

Accepted Solution

by:
brasslan earned 125 total points
Comment Utility
I always add the following class inspection to my ASA's to allow icmp traffic.  Also, with this inspect line in there, it does its best to prevent malicious icmp traffic as well.

policy-map global_policy
 class inspection_default
  inspect icmp
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now