?
Solved

Allowing pings from domain names instead of IP address

Posted on 2013-11-20
7
Medium Priority
?
513 Views
Last Modified: 2013-11-20
Hi -

Using ASDM, I'm trying to figure out how to allow pings from a domain name as opposed to a specific IP address.

I'm running ASA version 8.4(5) and ASDM version 7.1(1)52
0
Comment
Question by:emeka57
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 39662429
This sound almost like a DNS issue that you are running into. If you open up command prompt via Start>Run. Type in "cmd" and then from the command line type in "nslookup NAMEOFCOMPUTER" Make sure the response comes back with the correct IP address of the machine in question.

This will also tell me if you are able to make DNS requests through the firewall which you will need to open up port 53 if you are not.
0
 

Author Comment

by:emeka57
ID: 39662442
It's not really a DNS issue.  I have a service that monitors our ISP connection via ICMP.  I've blocked ICMP on my Cisco ASA 5510, but want to all trusted.panorama9.com to ping my firewall.  trusted.panorama9.com resolves to many IP addresses.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39662473
Pings always resolve to IP and you will get your response pointing to an IP address.
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 

Author Comment

by:emeka57
ID: 39662483
This is what I'm trying to do:

Allow trusted.panorama9.com ICMP access to my ASA.
0
 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 2000 total points
ID: 39662667
You will want to perform the steps below to allow this access.

1. Login to Your ASA
2. Click on the Configuration button up at the top. Then click on "Firewall"
3. Expand "Objects"
4.  Click on "Service Objects/Groups"
5.  Towards the top of the screen click on "Add"
6. Click on "ICMP GROUP"
7. Add the following Existing Services/Service Grups to the Members in the Group by using the "Add" button":
    - echo
    -echo-reply
8. When finished click on "OK"
9. Now you need to edit your "Outside" Access rule. Towards the top of the screen on the left hand side click on "Access Rules"
10. Highlight your "Outside" access list and click on the "Add" button towards the top.
11.  In the "Source" field click on the button for "...."
12. A new window will open. Click on the "Add" button towards the top of the screen and select "Network Object"
13. In the "Name" field give it a name of your choice
14. From the "Type" field select "FQDN"
15. In the "FQDN" type in "trusted.panorama9.com"
16. Click OK.
17. Click OK.
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"
19. Click Ok
20. Apply the configuration to your ASA.
21. Test this to ensure it is working properly.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39662721
@emeka57

Create a network object for trusted.panorama9.com

ASDM -> Configuration -> Objects -> Network Objects/Groups -> Add -> Network Object

Name: trusted.panorama9.com
Type: FQDN
IP Version: IPv4
FQDN: trusted.panorama9.com
Description: trusted.panorama9.com

Or from the command line:
object network trusted.panorama9.com
 fqdn v4 trusted.panorama9.com
 description trusted.panorama9.com


Then create the appropriate Access Rule from there.  You should limit ICMP to Type 8 [Echo] and Type 0 [Echo Reply] instead of permitting the entire protocol.

I tested the FQDN network object type on 9.1(3) so if you don't have it with 8.x consider upgrading.

That being said, if the ICMP echo packets are being directed to the outside interface itself, you could enable the following option:

icmp permit any echo outside

Though this is restricted by IP address only.
0
 

Author Comment

by:emeka57
ID: 39663889
18. In the "Destination Criteria" Section underneath service be sure to select the service "NETICMP"

Did you mean "ICMP" since there is not "NETICMP"?
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month9 days, 13 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question