We help IT Professionals succeed at work.

How do I allow ICMP from all inside servers on Cisco ASA5505

CyberWarrior7194
CyberWarrior7194 used Ask the Experts™
on
Result of the command: "sho run"

: Saved
:
ASA Version 8.3(1)
!
hostname mynetworkVPN
domain-name mynetworkVPN.homeoffice.com
enable password //////////////// encrypted
passwd ///////////////// encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address xx.xx.xxx.118 255.255.255.248
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xxx.121 255.255.255.248
!
interface Vlan12
 description Inside Network for access to other DMZ networks
 nameif insidevpn
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 description outside
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
banner exec WARNING!!! This system is solely for the use of authorized users for official purposes.
banner login WARNING!!! This system is solely for the use of authorized users for official purposes.
ftp mode passive
dns server-group DefaultDNS
 domain-name mynetwork.mynetwork.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.48_28
 subnet 192.168.1.48 255.255.255.240
object network SERVER1
 host 192.168.1.10
 description NAT for SERVER1
object network SERVER1OUTSIDE
 host xx.xx.xxx.122
 description Outside SERVER1 IP
object network NATFORSERVER1
 host 192.168.1.10
 description SERVER1 SERVER NAT TRANS
object network USER1PCOUTSIDE
 host xx.xx.xxx.123
 description USER1 outside access IP address
object network NATFORUSER1
 host 192.168.2.208
object network USER2PCOUTSIDE
 host xx.xx.xxx.124
 description USER2 outside access IP address
object network NATFORUSER2
 host 192.168.2.216
 description Outside access for USER2
object network Customer-Location1
 subnet xxx.xxx.198.xx 255.255.255.252
object network Customer-Location2
 subnet xxx.xxx.199.xx 255.255.255.252
object network NETWORK_OBJ_xx.xx.xxx.112_29
 subnet xx.xx.xxx.112 255.255.255.248
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
access-list homeoffice_tunnel_splitTunnelAcl_1 remark mynetwork ASA to Router
access-list homeoffice_tunnel_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list homeoffice_tunnel_splitTunnelAcl_1 remark mynetwork inside equipment
access-list homeoffice_tunnel_splitTunnelAcl_1 standard permit xx.xx.xxx.112 255.255.255.248
access-list homeoffice_tunnel_splitTunnelAcl_1 remark mynetwork Router Network
access-list homeoffice_tunnel_splitTunnelAcl_1 standard permit 192.168.21.0 255.255.255.0
access-list homeoffice_tunnel_splitTunnelAcl_1 remark mynetwork User Network
access-list homeoffice_tunnel_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list insidevpn_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_2_cryptomap extended permit ip xx.xx.xxx.112 255.255.255.248 object Customer-Location2
access-list outside_3_cryptomap extended permit ip xx.xx.xxx.112 255.255.255.248 object Customer-Location1
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu insidevpn 1500
ip local pool mynetwork_pool 192.168.1.50-192.168.1.60 mask 255.255.255.0
ip local pool outsideAccess xx.xx.xxx.113 mask 255.255.255.255
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.48_28

NETWORK_OBJ_192.168.1.48_28
nat (inside,outside) source static NETWORK_OBJ_xx.xx.xxx.112_29 NETWORK_OBJ_xx.xx.xxx.112_29 destination static Customer-Location2 Customer-Location2
nat (inside,outside) source static NETWORK_OBJ_xx.xx.xxx.112_29 NETWORK_OBJ_xx.xx.xxx.112_29 destination static Customer-Location1 Customer-Location1
!
object network obj_any
 nat (inside,outside) dynamic interface
object network NATFORSERVER1
 nat (insidevpn,outside) static SERVER1OUTSIDE
object network NATFORUSER1
 nat (insidevpn,outside) static USER1PCOUTSIDE
object network NATFORUSER2
 nat (insidevpn,outside) static USER2PCOUTSIDE
access-group inside_access_in in interface inside
access-group insidevpn_access_in in interface insidevpn
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.126 1
route insidevpn 192.168.2.0 255.255.255.0 192.168.1.2 1
route insidevpn 192.168.21.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http xx.xxx.xx.48 255.255.255.255 outside
http xx.xx.xxx.112 255.255.255.248 inside
http xx.xx.xxx.120 255.255.255.248 outside
http xxx.xxx.xxx.30 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA

ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xx.235
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA

ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer xxx.xxx.14.xx
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer xxx.xxx.15.xx
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map insidevpn_map2 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map insidevpn_map2 interface insidevpn
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable insidevpn
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh xx.xxx.xxx.48 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy homeoffice_tunnel internal
group-policy homeoffice_tunnel attributes
 dns-server value xx.xx.xx.130 xx.xx.xx.130
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value homeoffice_tunnel_splitTunnelAcl_1
 default-domain value homeoffice.com
username remoteuser1 password ???????????????? encrypted privilege 15
username remoteuser1 attributes
 vpn-group-policy homeoffice_tunnel
username remoteuser2 password ???????????????? encrypted privilege 15
username remoteuser2 attributes
 vpn-group-policy homeoffice_tunnel
username remoteuser3 password ???????????????? encrypted privilege 15
username remoteuser3 attributes
 vpn-group-policy homeoffice_tunnel
username remoteuser4 password ???????????????? encrypted privilege 15
username remoteuser4 attributes
 vpn-group-policy homeoffice_tunnel
username remoteuser5 password ???????????????? encrypted privilege 15
username remoteuser5 attributes
 vpn-group-policy homeoffice_tunnel
tunnel-group homeoffice_tunnel type remote-access
tunnel-group homeoffice_tunnel general-attributes
 address-pool mynetwork_pool
 default-group-policy homeoffice_tunnel
tunnel-group homeoffice_tunnel ipsec-attributes
 pre-shared-key *****
tunnel-group xxx.xxx.xx.235 type ipsec-l2l
tunnel-group xxx.xxx.xx.235 ipsec-attributes
 pre-shared-key *****
tunnel-group xxx.xxx.15.xx type ipsec-l2l
tunnel-group xxx.xxx.15.xx ipsec-attributes
 pre-shared-key *****
tunnel-group xxx.xxx.14.xx type ipsec-l2l
tunnel-group xxx.xxx.14.xx ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
Cryptochecksum:888888888888888888888888888888888
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Just to clarify I want to ping from an inside server 192.168.1.10 on insidevpn to an outside IP address on the Internet.

Thank You
Robert Sutton JrSenior Network Manager
Commented:
Are you just wanting to setup ICMP from that address alone or the entire net of insidevpn?
Senior infrastructure engineer
Top Expert 2012
Commented:
For starters you could add:

access-list outside_access_in extended permit icmp any any
access-group outside_access_in in interface outside


To see if it works. Later on you can then restrict it a bit more if necessary.

Author

Commented:
Thanks for the help, I assumed that if I could access the Internet from Inside I should also be able to send icmp. I guess that is not the case, so I added an ACL to the outside in to permit it.

Thank You