Cisco Firewalls and PING

KB ID 0000351

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.

OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Also See:

Cisco ASA 5500 Allowing Tracert

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI

Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map). Connect to the firewall and use the following commands from config terminal mode. then save the changes with a “write mem” command.

[box]

PetesASA>
PetesASA> enable
Password:********
PetesASA# conf t
PetesASA(config)# policy-map global_policy
PetesASA(config)# (config-pmap)#class inspection_default
PetesASA(config)#inspect icmp
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 
8695 bytes copied in 3.670 secs (2898 bytes/sec)
 [OK] 
PetesASA(config)#

[/box]

Cisco ASA and Cisco PIX (version 7 and above) From ASDM

Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select “inspection_default” > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI

Older firewalls do not have an inspection map, nor was there a “fixup” for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called “inbound”, and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the “show access-group” will tell you what is applied to the outside interface),

e.g.

[box]

PetesASA>
PetesASA> enable
Password: ********
PetesASA# show access-group
access-group inbound in interface outside <<This ones called inbound.

[/box]

If you already have an access-list applied then simply substitute the name word “inbound” for the name on your ACL.

[box]

PetesASA# conf t
PetesASA(config)# access-list inbound permit icmp any any echo-reply 
PetesASA(config)# access-list inbound permit icmp any any time-exceeded 
PetesASA(config)# access-list inbound permit icmp any any unreachable
PetesASA(config)# access-list inbound permit icmp any any source-quench

[/box]

If you HAD an inbound ACL skip this step, If you didn’t have one you need to apply the ACL with an access-group command.

[box]

PetesASA(config)# access-group inbound in interface outside

[/box]

Lastly save your work with a write mem command.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#

[/box]

Cisco PIX (version 6 and below) From PDM

Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select “echo-reply”> OK > Apply > File > Save running configuration to flash.

Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic

As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the “icmp” command.

[box]

Syntax
icmp {permit or deny} {any or IP and subnet}{type of icmp traffic}{interface name}

Example
icmp deny any echo outside

[/box]

Do the same from ASDM

Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.

Do the same from PDM

Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.

If you are still having problems, see the following article;

Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

Related Articles, References, Credits, or External Links

NA

Configure Cisco EasyVPN With Cisco ASA 5500

KB ID 0000337

Problem

Site to site VPN’s are great for main office to branch office connections, but for remote workers in a SOHO environment obtaining a static IP address can be expensive and time consuming. Traditionally remote workers will use either AnyConnect or IPSEC Remote VPN’s.

However Cisco have a system which lets you have a main site (or sites), with a static IP, that acts as the EasyVPN server, then remote sites with dynamic DHCP IP addresses can authenticate and connect via a hardware device. That remote hardware device can be another ASA (Note: Only ASA5505 can be used as an EasyVPN client), or a Cisco IOS router. In addition if you have any old PIX 501 or 506E firewalls laying around they can also be used as EasyVPN clients.

Solution

Step 1 Setup the EasyVPN server at the main site. (Example on ASA5510)

Step 2 Setup the EasyVPN client at the remote site. (Example on ASA5505)

Before you start – No other VPN’s can be running from this remote device, i.e. ISAKMP cannot be enabled on its outside interface.

Related Articles, References, Credits, or External Links

NA

Site to Site IPSEC VPN from SonicWALL to Cisco ASA

KB ID 0000357

Problem

You want to put in a secure IPSEC VPN tunnel from a Cisco ASA Device to a Sonicwall Firewall. Note in this example we will use 3DES for encryption, SHA1 for Hashing, Diffie Hellman Group 2, PFS enabled, and we will use a shared secret (Pre Shared Key).

SonicWALL used in this example is a PRO 3060.

Solution

The main two gotcha’s

Update 12/03/11 Feedback from Wajma Omari:

I would like to add that this configuration will build the Tunnel but one more step needed to enable the Traffic between the two networks and that is by adding ACL from Inside network to the Remote Site Configuration – Firewall – Advanced – ACL Manager – Add – Add ACL and then ADD ACE

Thanks for the very helpful article

Many Thanks for the feedback! Pete

Related Articles, References, Credits, or External Links

Special thanks to David Pounds for his help with the SonicWALL configuration.

Upgrade Cisco PIX 515E to Version 8.0(4)

and ASDM version 6.1(5)

KB ID 0000424

Problem

I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.

Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.

Solution

Related Articles, References, Credits, or External Links

Also see Connecting to and Managing Cisco Firewalls.

For information on 3CDaemon TFTP Server click here.