Saturday, February 13, 2016

Allowing PING Through an ASA

The ASA Security Appliance, by default, blocks ICMP packets which includes PING. In the following post, I'll show you how to create an Access-Control List (ACL) which will permit ICMP traffic through the firewall from the inside to the outside.

In order for an ACL to have any effect, it must be applied to an interface or a function.  In the following example, the ACL is designed to permit inside hosts to ping hosts on an outside network such as the public Internet. In the example shown, “101” is just a label for the list. It could just as easily be a descriptive name such as “permit_ping”. (ICMP stands for Internet Control Message Protocol, the protocol used by ping and some other network utilities.)

The first four lines in the following example identify and permit the traffic flows.  The last line applies the list to inbound traffic on the outside interface.  Note the use of the “access-group 101” statement which applies access-list 101 to the interface.

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable 
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside


The above access-control list permits several types of ICMP traffic in addition to ping packets. If you want to allow only ping packets, use the following commands:

access-list 101 permit icmp any any echo-reply
access-group 101 in interface outside


The above post is taken from my book Cisco ASA Security Appliance for Accidental Administrators, available in Kindle and paperback editions through Amazon and other resellers.