Cisco ASA – Allowing ICMP Echo Requests on Cisco ASA 55xx Router

ciscocisco-asaicmp

I'm very new to managing Cisco equipment, so bear with me.

I'm configuring a Cisco ASA 5505 router for my office, and I am reasonably competent enough with the console to configure the basics — our business needs are not extravagant. Our pings are being dropped by the router, however.

How do I configure the router to allow ICMP Echo Requests? Are there other types of ICMP requests that should be allowed? What are the potential downsides of allowing them all?

Best Answer

Assuming that you haven't change the global_policy policy-map, have an access-group from_outside on interface outside and that you want to allow icmp echo on the outside interface, here is what to type:

policy-map global_policy
 class inspection_default
  inspect icmp
  exit
 exit
access-list from_outside extended permit icmp any any echo

I would only allow echo request on outside interface.
You may also probably want to take a look to the ASDM

Related Solutions

Cisco ASA intermittently fails to see traffic

I wonder if you need to put in identity NAT configs on the ASA:

nat (inside) 0 0 0
nat (dmz) 0 0 0

Also, check the ARP tables on the ASA (show arp) and the servers to make sure they have the correct IP->hw addresses.

And check the routing tables on every device as well.

Cisco ASA 5520 configuration on two SITE, A and B

You have quite a lot of options with the equipment you have. The main limitation right now seems to be your lack of familiarity with the ASA platform. If time is limited, then you should probably seek support/consulting from where the ASAs were obtained. If money is more critical than time, then you need to study up on ASA VPNs.

A good place to start is the Cisco Press ASA book (ISBN 978-1-58705-819-6) which has walkthroughs for setting up VPNs amongst other things, as well as explaining the concepts. The documentation available online is also essential reading, but it can be a bit hard to find exactly what you need.

You may also want to upgrade the firmware and ASDM on your ASAs. Version 7 is quite old now, and the more recent ASDM interfaces are a little better IMO. Also, if the Site B ASA is a more recent purchase, it is very likely it has a more recent firmware. You will find life easier if they are both on the same version.

When reading the documentation, it is essential you are reading the documentation that matches your firmware version - there are quite different configuration syntaxes between version 7.0 and the most recent version (8.4).

Best Answer

Related Solutions

Cisco ASA intermittently fails to see traffic

Cisco ASA 5520 configuration on two SITE, A and B

Related Topic