Solved

How to allow ping from inside interface to dmz interface on a Cisco ASA 5505

Posted on 2009-06-29
2
1,082 Views
Last Modified: 2013-11-29
Hi all,

I've a server in our DMZ that I would like to ping so I can monitor up time effectively.

It seems Cisco block ICMP by default, but my efforts using the graphical interface to change this have been invain. Please help - I've attached by config file below.

Many thanks - Mike
: Saved
:
ASA Version 7.2(3) 
!
hostname blah
domain-name ####
enable password #### encrypted
names
name 172.18.231.0 IPVPN
name 172.18.241.5 CONDIR 
name 172.19.0.3 DMZ-SMTP 
name 172.19.0.4 DMZ-SFTP 
name 172.19.0.5 DMZ-FTP 
name 172.18.200.2 RIGEL
name 172.18.200.4 CAPELLA 
name 172.19.0.7 GSTAR 
name 172.18.200.14 CRM
name 172.18.200.13 Sharepoint
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.0.2 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 123.456.789.111 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.19.0.2 255.255.255.0 
!
interface Vlan13
 nameif pdmz
 security-level 100
 ip address 172.10.0.2 255.255.0.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 13
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
ftp mode passive
dns domain-lookup dmz
dns server-group DefaultDNS
 domain-name #####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service StndInternet tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
access-list outside_access_in 
access-list outside_access_in extended deny ip host #### any 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq smtp 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host Sharepoint eq https 
access-list outside_access_in 
access-list outside_access_in  
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq https 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 8001 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq ftp-data 
access-list outside_access_in 
access-list outside_access_in extended permit tcp any host 123.456.789.111 eq 2773 
access-list outside_access_in extended permit tcp host 123.456.789.111 host 172.18.230.97 range 6000 60063 inactive 
access-list outside_access_in 
access-list outside_access_in extended deny ip host ##### any 
access-list outside_access_in 
access-list outside_access_in 
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host 123.456.789.111 IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any IPVPN 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host CONDIR host #### 
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 
access-list VPNNET_splitTunnelAcl standard permit host 123.456.789.111 
access-list VPN_splitTunnelAcl standard permit any 
access-list inside_outbound_nat_acl extended permit ip any IPVPN 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip any IPVPN 255.255.255.0 
access-list outside_1_cryptomap extended permit ip host CONDIR host #### 
access-list outside_2_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0 
access-list dmz_access_in extended permit ip any any 
access-list dmz_access_out extended permit ip any any 
access-list pdmz_access_out extended permit tcp any host RIGEL 
access-list acl_pdmz_to_inside extended permit ip any any 
access-list pdmz_in extended permit ip any any 
access-list pdmz_access_out_1 extended permit ip any interface inside inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded inactive 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo inactive 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu pdmz 1500
ip local pool IPVPN 172.18.231.1-172.18.231.254
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface pdmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.18.0.0 255.255.0.0
nat (dmz) 1 172.19.0.0 255.255.0.0
nat (pdmz) 1 172.10.0.0 255.255.0.0
static (dmz,outside) 123.456.789.111 DMZ-SFTP netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 DMZ-FTP netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 RIGEL netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 CAPELLA netmask 255.255.255.255 
static (inside,dmz) 123.456.789.111 172.18.0.0 netmask 255.255.0.0 
static (inside,dmz) 123.456.789.111 DMZ-SMTP netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 GSTAR netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 CRM netmask 255.255.255.255 
static (inside,outside) 123.456.789.111 Sharepoint netmask 255.255.255.255 
static (dmz,outside) 123.456.789.111 172.19.0.2 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-group pdmz_in in interface pdmz
access-group pdmz_access_out out interface pdmz
route outside 0.0.0.0 0.0.0.0 123.456.789.111 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
filter java 81 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
filter activex 813 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs 
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs 
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs 
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs 
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs 
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer ####
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer ####
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.0.3-172.18.1.2 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect h323 ras 
  inspect pptp 
!
service-policy global_policy global
group-policy NETWORK internal
group-policy NETWORK attributes
 wins-server value 172.18.200.1
 dns-server value 172.18.200.1
 vpn-tunnel-protocol IPSec 
 
 vpn-group-policy NETWORK
 
 
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group NETWORK type ipsec-ra
tunnel-group NETWORK general-attributes
 address-pool IPVPN
 default-group-policy NETWORK
tunnel-group NETWORK ipsec-attributes
 pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
 pre-shared-key *
tunnel-group 123.456.789.111 type ipsec-l2l
tunnel-group 123.456.789.111 ipsec-attributes
 pre-shared-key *
smtp-server 172.18.200.2
prompt hostname context 
Cryptochecksum:585c0c1b2348587143153660a223357a
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
Comment
Question by:capcap
2 Comments
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24735311
Simply configure the below ACL this will solve your problem

access-list in_access_out extended permit ip any any
access-group in_access_out in interface outside
0
 
LVL 6

Accepted Solution

by:
brasslan earned 125 total points
ID: 24747523
I always add the following class inspection to my ASA's to allow icmp traffic.  Also, with this inspect line in there, it does its best to prevent malicious icmp traffic as well.

policy-map global_policy
 class inspection_default
  inspect icmp
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question