Allow ICMP through Cisco ASA

By Default our Cisco ASA doesn’t permit ICMP from inside to outside. Cisco ASA assign a security level to each interface. 

Security levels help us to determine how trusted/safe our interfaces. The higher security level, the more trusted interface! Default Security Levels:  Inside = 100 , DMZ = 50 and Outside = 0

Based on this scenario we can see that we need to add a ladder so that deadpool can go to inside area.

How to make a ladder? 

Using ACL – We need to create ACL (Extended) to permit inside to outside.

Q: What is the difference standard & extended access list?

A: ACL’s are used to make filtering and classification of the traffic. Standard ACL denies/permits all traffic whereas Extended ACL selectively deny/permit some or all traffic depending on your requirement.

 #access-list 100 extended permit icmp x.x.x.x x.x.x.x any echo

! We use echo to allow the icmp reply from destination.

#access-list 100 extended permit icmp any x.x.x.x x.x.x.x echo-reply

! Apply the ACL

#access-group 100 in interface outside

Using Modular Policy Framework (MPF).

Create a classmap, policymap and service policy.

Classmap – Used to identify traffic.

Policymap – Used for action, policing, dropping and prioritizing.

Service Policy – Decide where the policymap gonna do the action.

#class-map inspection_default
match default-inspection-traffic

#policy-map global_policy
class inspection_default
inspect icmp

        inspect icmp error

#service-policy global_policy global


84 bytes from icmp_seq=1 ttl=45 time=141.607 ms
84 bytes from icmp_seq=2 ttl=45 time=182.624 ms

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s