ICMP PING CMD IN FIREWALL & ASDM

Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside. OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.

PetesASA> PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# policy-map global_policy PetesASA(config)# (config-pmap)# class inspection_default PetesASA(config)# inspect icmp PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#

Cisco ASA and Cisco PIX (version 7 and above) From ASDM Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g.

PetesASA> PetesASA> en Password: ******** PetesASA# show access-groupaccess-group inbound in interface outside <<This ones called inbound.

If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL.

PetesASA# conf t PetesASA(config)# access-list inbound permit icmp any any echo-reply  PetesASA(config)# access-list inbound permit icmp any any time-exceeded  PetesASA(config)# access-list inbound permit icmp any any unreachable PetesASA(config)# access-list inbound permit icmp any any source-quench

If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command.

PetesASA(config)# access-group inbound in interface outside

Lastly save your work with a write mem command.

PetesASA# write mem Building configuration... Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7 [OK] PetesASA#

Cisco PIX (version 6 and below) From PDM Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash. Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command. Do the same from ASDM Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash. Do the same from PDM Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.