Search This Blog

Wednesday, March 28, 2012

Cisco Pix 6.3–allow ping replies

How to set a PIX 6.3, to allow ICMP replies from inbound initiated icmp traffic.
i.e Allow a computer on the inside interface to ping external (outside computers).

By default outbound icmp traffic is allowed but the responses are denied.

First we need to create a access-list to allow the types of icmp traffic.

example:

access-list 155 permit icmp any host 192.168.72. echo-reply

 

access-list <acl id> permit <protocol> any host <host ip> echo-reply

any – is shorthand for any ip (0.0.0.0) with any subnet (wildcard mask  255.255.255.255.)

host – short hand for wildcard mask of (0.0.0.0)

 
With the acl setup we need to bind the acl to the outside interface on inbound traffic.
<note: only assign one access-group to an interface, if you already have one don’t add another.>
access-group 155 in interface outside
 

Share/Bookmark

Tuesday, March 27, 2012

Enabling ICMP on Cisco ASA firewall - ADSM

As always this is really for my reference in the future.

I wanted to allow icmp traffic (Pings, traceroutes) from inside to outside, I had setup ACLs etc like other protocols which were working however ICMp traffic refused to work.

In the end I traced it down to a setting in (ASDM)

ASDM\Configuration\Service Policy Rules\inspection_default\<edit>

\Rule actions

Check ICMP.

image

OK and then apply.

Ping and traceroute should now work, assuming you have created an acl to allow the appropriate traffic. In addition this will set the firewall to respond to ICMP traffic, I think that's somewhere else.

In addition I believe the following is the CLI for the above (I have not tested it or used it), it is here for info only.

policy-map global_policy
class inspection_default
inspect icmp
exit
exit

Share/Bookmark