Professional Documents
Culture Documents
ASA No 2 Lab
ASA No 2 Lab
Test
Try
Pass
Switch on the ICMP debugging trace logging, using the following command:
ciscoasa(config)# debug icmp trace
From the two VM’s connectivity can be checked using ping from console windows.
Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping.
DO NOT LEAVE
PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS!
Linux: ping –c3 dest_adddress Windows: ping –n3 dest_adddress
Questions
Q: Can the WINDOWS VM ping the Linux VM?
Q: Can the Linux VM ping the WINDOWS VM?
Q: What might be causing this?
The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by
default.
ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as
traffic
is not allowed to go from an interface with a lower security level to an interface with a higher level
(outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is
allowed), but the reply is blocked by default
There are two options which will allow inside users to ping hosts on the outside. The first option is
to setup a specific firewall rule for the echo-reply traffic, and the other is to create application
inspection for ICMP.
Create an ACL Rule. Note the command is access-list , not ip access-list, as on a router, the
syntax is slightly different, having to enter the ruleset name for every rule.