By Default our Cisco ASA doesn’t permit ICMP from inside to outside. Cisco ASA assign a security level to each interface.
Security levels help us to determine how trusted/safe our interfaces. The higher security level, the more trusted interface! Default Security Levels: Inside = 100 , DMZ = 50 and Outside = 0
Based on this scenario we can see that we need to add a ladder so that deadpool can go to inside area.
How to make a ladder?
Using ACL – We need to create ACL (Extended) to permit inside to outside.
Q: What is the difference standard & extended access list?
A: ACL’s are used to make filtering and classification of the traffic. Standard ACL denies/permits all traffic whereas Extended ACL selectively deny/permit some or all traffic depending on your requirement.
#access-list 100 extended permit icmp x.x.x.x x.x.x.x any echo
! We use echo to allow the icmp reply from destination.
#access-list 100 extended permit icmp any x.x.x.x x.x.x.x echo-reply
! Apply the ACL
#access-group 100 in interface outside
Using Modular Policy Framework (MPF).
Create a classmap, policymap and service policy.
Classmap – Used to identify traffic.
Policymap – Used for action, policing, dropping and prioritizing.
Service Policy – Decide where the policymap gonna do the action.
inspect icmp error
#service-policy global_policy global
84 bytes from 184.108.40.206 icmp_seq=1 ttl=45 time=141.607 ms
84 bytes from 220.127.116.11 icmp_seq=2 ttl=45 time=182.624 ms