• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

Allowing pings from domain names instead of IP address

Hi -

Using ASDM, I'm trying to figure out how to allow pings from a domain name as opposed to a specific IP address.

I'm running ASA version 8.4(5) and ASDM version 7.1(1)52
0
emeka57
Asked:
emeka57
1 Solution
 
BigPapaGottiCommented:
This sound almost like a DNS issue that you are running into. If you open up command prompt via Start>Run. Type in "cmd" and then from the command line type in "nslookup NAMEOFCOMPUTER" Make sure the response comes back with the correct IP address of the machine in question.

This will also tell me if you are able to make DNS requests through the firewall which you will need to open up port 53 if you are not.
0
 
emeka57Author Commented:
It's not really a DNS issue.  I have a service that monitors our ISP connection via ICMP.  I've blocked ICMP on my Cisco ASA 5510, but want to all trusted.panorama9.com to ping my firewall.  trusted.panorama9.com resolves to many IP addresses.
0
 
Mohammed KhawajaCommented:
Pings always resolve to IP and you will get your response pointing to an IP address.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
emeka57Author Commented:
This is what I'm trying to do:

Allow trusted.panorama9.com ICMP access to my ASA.
0
 
BigPapaGottiCommented:
You will want to perform the steps below to allow this access.

1. Login to Your ASA
2. Click on the Configuration button up at the top. Then click on "Firewall"
3. Expand "Objects"
4.  Click on "Service Objects/Groups"
5.  Towards the top of the screen click on "Add"
6. Click on "ICMP GROUP"
7. Add the following Existing Services/Service Grups to the Members in the Group by using the "Add" button":
    - echo
    -echo-reply
8. When finished click on "OK"
9. Now you need to edit your "Outside" Access rule. Towards the top of the screen on the left hand side click on "Access Rules"
10. Highlight your "Outside" access list and click on the "Add" button towards the top.
11.  In the "Source" field click on the button for "...."
12. A new window will open. Click on the "Add" button towards the top of the screen and select "Network Object"
13. In the "Name" field give it a name of your choice
14. From the "Type" field select "FQDN"
15. In the "FQDN" type in "trusted.panorama9.com"
16. Click OK.
17. Click OK.
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"
19. Click Ok
20. Apply the configuration to your ASA.
21. Test this to ensure it is working properly.
0
 
Giovanni HewardCommented:
@emeka57

Create a network object for trusted.panorama9.com

ASDM -> Configuration -> Objects -> Network Objects/Groups -> Add -> Network Object

Name: trusted.panorama9.com
Type: FQDN
IP Version: IPv4
FQDN: trusted.panorama9.com
Description: trusted.panorama9.com

Or from the command line:
object network trusted.panorama9.com
 fqdn v4 trusted.panorama9.com
 description trusted.panorama9.com


Then create the appropriate Access Rule from there.  You should limit ICMP to Type 8 [Echo] and Type 0 [Echo Reply] instead of permitting the entire protocol.

I tested the FQDN network object type on 9.1(3) so if you don't have it with 8.x consider upgrading.

That being said, if the ICMP echo packets are being directed to the outside interface itself, you could enable the following option:

icmp permit any echo outside

Though this is restricted by IP address only.
0
 
emeka57Author Commented:
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"

Did you mean "ICMP" since there is not "NETICMP"?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now