Solved

Allowing pings from domain names instead of IP address

Posted on 2013-11-20
7
477 Views
Last Modified: 2013-11-20
Hi -

Using ASDM, I'm trying to figure out how to allow pings from a domain name as opposed to a specific IP address.

I'm running ASA version 8.4(5) and ASDM version 7.1(1)52
0
Comment
Question by:emeka57
7 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39662429
This sound almost like a DNS issue that you are running into. If you open up command prompt via Start>Run. Type in "cmd" and then from the command line type in "nslookup NAMEOFCOMPUTER" Make sure the response comes back with the correct IP address of the machine in question.

This will also tell me if you are able to make DNS requests through the firewall which you will need to open up port 53 if you are not.
0
 

Author Comment

by:emeka57
ID: 39662442
It's not really a DNS issue.  I have a service that monitors our ISP connection via ICMP.  I've blocked ICMP on my Cisco ASA 5510, but want to all trusted.panorama9.com to ping my firewall.  trusted.panorama9.com resolves to many IP addresses.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39662473
Pings always resolve to IP and you will get your response pointing to an IP address.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:emeka57
ID: 39662483
This is what I'm trying to do:

Allow trusted.panorama9.com ICMP access to my ASA.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 500 total points
ID: 39662667
You will want to perform the steps below to allow this access.

1. Login to Your ASA
2. Click on the Configuration button up at the top. Then click on "Firewall"
3. Expand "Objects"
4.  Click on "Service Objects/Groups"
5.  Towards the top of the screen click on "Add"
6. Click on "ICMP GROUP"
7. Add the following Existing Services/Service Grups to the Members in the Group by using the "Add" button":
    - echo
    -echo-reply
8. When finished click on "OK"
9. Now you need to edit your "Outside" Access rule. Towards the top of the screen on the left hand side click on "Access Rules"
10. Highlight your "Outside" access list and click on the "Add" button towards the top.
11.  In the "Source" field click on the button for "...."
12. A new window will open. Click on the "Add" button towards the top of the screen and select "Network Object"
13. In the "Name" field give it a name of your choice
14. From the "Type" field select "FQDN"
15. In the "FQDN" type in "trusted.panorama9.com"
16. Click OK.
17. Click OK.
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"
19. Click Ok
20. Apply the configuration to your ASA.
21. Test this to ensure it is working properly.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39662721
@emeka57

Create a network object for trusted.panorama9.com

ASDM -> Configuration -> Objects -> Network Objects/Groups -> Add -> Network Object

Name: trusted.panorama9.com
Type: FQDN
IP Version: IPv4
FQDN: trusted.panorama9.com
Description: trusted.panorama9.com

Or from the command line:
object network trusted.panorama9.com
 fqdn v4 trusted.panorama9.com
 description trusted.panorama9.com


Then create the appropriate Access Rule from there.  You should limit ICMP to Type 8 [Echo] and Type 0 [Echo Reply] instead of permitting the entire protocol.

I tested the FQDN network object type on 9.1(3) so if you don't have it with 8.x consider upgrading.

That being said, if the ICMP echo packets are being directed to the outside interface itself, you could enable the following option:

icmp permit any echo outside

Though this is restricted by IP address only.
0
 

Author Comment

by:emeka57
ID: 39663889
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"

Did you mean "ICMP" since there is not "NETICMP"?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now