13-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Troubleshooting Connections and Resources
Testing Your Configuration
hostname(config)# icmp permit 0.0.0.0 0.0.0.0 echo inside
hostname(config)# icmp permit 0.0.0.0 0.0.0.0 echo-reply inside
Step 2
Ensure access rules allow ICMP.
When pinging a host through an ASA, access rules must allow ICMP traffic to leave and return. The
access rule must at least allow Echo Request/Echo Reply ICMP packets. You can add these rules as
global rules.
Assuming you already have access rules applied to interfaces or applied globally, simply add these rules
to the relevant ACL, for example:
hostname(config)# access-list outside_access_in extended permit icmp any any echo
hostname(config)# access-list outside_access_in extended permit icmp any any echo-reply
Alternatively, just allow all ICMP:
hostname(config)# access-list outside_access_in extended permit icmp any any
If you do not have access rules, you will need to also allow the other type of traffic you want, because
applying any access rules to an interface adds an implicit deny, so all other traffic will be dropped. Use
the
access-group
command to apply the ACL to an interface or globally.
If you are simply adding the rule for testing purposes, you can use the
no
form of the
access-list
command to remove the rule from the ACL. If the entire ACL is simply for testing purposes, use the
no
access-group
command to remove the ACL from the interface.
Step 3
Enable ICMP inspection.
ICMP inspection is needed when pinging through the ASA, as opposed to pinging an interface.
Inspection allows returning traffic (that is, the Echo Reply packet) to return to the host that initiated the
ping, and also ensures there is one response per packet, which prevents certain types of attack.
You can simply enable ICMP inspection in the default global inspection policy.
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect icmp
Ping Hosts
To ping any device, you simply enter
ping
with the IP address or host name, such as
ping 10.1.1.1
or
ping www.example.com
. For TCP ping, you include the
tcp
keyword and the destination port, such as
ping tcp www.example.com 80
. That is usually the extent of any test you need to run.
Example output for a successful ping:
Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If the ping fails, the output indicates ? for each failed attempt, and the success rate is less than 100
percent (complete failure is 0 percent):
Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
However, you can also add parameters to control some aspects of the ping. Following are your basic
options:
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...