Solved

Allowing pings from domain names instead of IP address

Posted on 2013-11-20
7
467 Views
Last Modified: 2013-11-20
Hi -

Using ASDM, I'm trying to figure out how to allow pings from a domain name as opposed to a specific IP address.

I'm running ASA version 8.4(5) and ASDM version 7.1(1)52
0
Comment
Question by:emeka57
7 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
This sound almost like a DNS issue that you are running into. If you open up command prompt via Start>Run. Type in "cmd" and then from the command line type in "nslookup NAMEOFCOMPUTER" Make sure the response comes back with the correct IP address of the machine in question.

This will also tell me if you are able to make DNS requests through the firewall which you will need to open up port 53 if you are not.
0
 

Author Comment

by:emeka57
Comment Utility
It's not really a DNS issue.  I have a service that monitors our ISP connection via ICMP.  I've blocked ICMP on my Cisco ASA 5510, but want to all trusted.panorama9.com to ping my firewall.  trusted.panorama9.com resolves to many IP addresses.
0
 
LVL 24

Expert Comment

by:Mohammed Khawaja
Comment Utility
Pings always resolve to IP and you will get your response pointing to an IP address.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:emeka57
Comment Utility
This is what I'm trying to do:

Allow trusted.panorama9.com ICMP access to my ASA.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 500 total points
Comment Utility
You will want to perform the steps below to allow this access.

1. Login to Your ASA
2. Click on the Configuration button up at the top. Then click on "Firewall"
3. Expand "Objects"
4.  Click on "Service Objects/Groups"
5.  Towards the top of the screen click on "Add"
6. Click on "ICMP GROUP"
7. Add the following Existing Services/Service Grups to the Members in the Group by using the "Add" button":
    - echo
    -echo-reply
8. When finished click on "OK"
9. Now you need to edit your "Outside" Access rule. Towards the top of the screen on the left hand side click on "Access Rules"
10. Highlight your "Outside" access list and click on the "Add" button towards the top.
11.  In the "Source" field click on the button for "...."
12. A new window will open. Click on the "Add" button towards the top of the screen and select "Network Object"
13. In the "Name" field give it a name of your choice
14. From the "Type" field select "FQDN"
15. In the "FQDN" type in "trusted.panorama9.com"
16. Click OK.
17. Click OK.
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"
19. Click Ok
20. Apply the configuration to your ASA.
21. Test this to ensure it is working properly.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
@emeka57

Create a network object for trusted.panorama9.com

ASDM -> Configuration -> Objects -> Network Objects/Groups -> Add -> Network Object

Name: trusted.panorama9.com
Type: FQDN
IP Version: IPv4
FQDN: trusted.panorama9.com
Description: trusted.panorama9.com

Or from the command line:
object network trusted.panorama9.com
 fqdn v4 trusted.panorama9.com
 description trusted.panorama9.com


Then create the appropriate Access Rule from there.  You should limit ICMP to Type 8 [Echo] and Type 0 [Echo Reply] instead of permitting the entire protocol.

I tested the FQDN network object type on 9.1(3) so if you don't have it with 8.x consider upgrading.

That being said, if the ICMP echo packets are being directed to the outside interface itself, you could enable the following option:

icmp permit any echo outside

Though this is restricted by IP address only.
0
 

Author Comment

by:emeka57
Comment Utility
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"

Did you mean "ICMP" since there is not "NETICMP"?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now