Cisco asa

Discussion in 'Routing & Switching' started by Leehaa, Feb 2, 2010.

  1. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Feb 2, 2010 #1
    Remove Advertisement - Premium Membership
    What is the basic thing you have to do to get a device on one side of an ASA to ping a device on another?

    The devices on the networks either side of the ASA can ping it fine (well actually the high side can, and the low side can't...but the ASA can see the device on the low side)

    I have set up NAT to change each device so that they are converted to the correct IP when they get from one side to the other.

    In access rules, it's confusing. Once you've used NAT, which ip addresses are you supposed to be allowing to communicate with the other side? The original ip, or the one that occurs after NAT?

    Is it just ICMP echo and ICMP echo reply that should be enabled, or do you need to add another service also?

    Is there some other kind of access control that needs to be configured?

    Please somebody help :blink
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  2. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Feb 2, 2010 #2
    Remove Advertisement - Premium Membership
    Something like this should work

    access-list <ACL_NAME> extended permit icmp any host <HOST> echo
    access-list <ACL_NAME> extended permit icmp any host <HOST> echo-reply
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  3. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Feb 2, 2010 #3
    This is from a PIX but should be similar:

    access-list outside permit icmp any any echo
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any source-quench
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded

    If the link is across a VPN for example you need to create a No Nat Rule and apply this as well e.g.

    access-list no_nat permit ip 10.10.194.0 255.255.255.0 192.168.145.0 255.255.255.0
    nat (inside) 0 access-list no_nat
    nat (inside) 1 10.10.194.0 255.255.255.0 0 0
     
    Last edited: Feb 2, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  4. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Feb 2, 2010 #4
    Thank you! :)
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE

Share This Page

Loading...
Remove Advertisement - Premium Membership
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...