Dummy Con

Test

Try

Pass

Switch on the ICMP debugging trace logging, using the following command:
ciscoasa(config)# debug icmp trace
From the two VM’s connectivity can be checked using ping from console windows.
Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping.
DO NOT LEAVE
PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS!
Linux: ping –c3 dest_adddress Windows: ping –n3 dest_adddress
Questions
Q: Can the WINDOWS VM ping the Linux VM?
Q: Can the Linux VM ping the WINDOWS VM?
Q: What might be causing this?
The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by
default.
ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as
traffic
is not allowed to go from an interface with a lower security level to an interface with a higher level
(outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is
allowed), but the reply is blocked by default

There are two options which will allow inside users to ping hosts on the outside. The first option is
to setup a specific firewall rule for the echo-reply traffic, and the other is to create application
inspection for ICMP.
Create an ACL Rule. Note the command is access-list , not ip access-list, as on a router, the
syntax is slightly different, having to enter the ruleset name for every rule.

ciscoasa(confi access-list ICMP_REPLY extended permit icmp ec

g)# any any ho
reply

Review ugin the show access-list command to check it is configured correctly.

Apply the ACL to the outside interface. Note that the syntax is again slightly different from a
router.
ciscoasa(config)# access-group ICMP_REPLY in interface outside
Use the show run command to check it is configured correctly.
The show run command can be used with filters to only config lines of interest:
show run | include ICMP_REPLY
Questions
Q: What filter might be used to show all access list config lines?
Check the VM’s connectivity again.