Configuring ASA on GNS3-allow ICMP traffic

Posted: July 31, 2015 in CISCO

Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. An ASA can be used as a security solution for both small and large networks.

By default,ASA doesn’t allow ICMP from inside to outside interface.

Inside interface is connected to internal network,and outside interface to public network.

Interfaces have associated security levels It’s  numeric value, ranging from 0 to 100, used by the ASA to control traffic flow.  Traffic is permitted from interfaces with higher security levels to interfaces with lower security levels, but not the opposite.  We use Access-lists to permit traffic from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.If we need to publish services to the internet the we would use another interface named DMZ (demilitarized zone) with default security level of 50


In this example inside interface has IP address of and outside’ll configure ASA to alow ping from client1 to the internet,we’ll also configure NAT on ASA,so when client access to the internet,from the outside perspective it would appear as if traffic comes from ASA’s outside interface.

R1 configuration

See for connecting GNS3 router to the internet

R1(config)#int fa0/0
R1(config-if)#no shut
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config-if)#int s1/0
R1(config-if)#ip address
R1(config-if)#no shut
R1(config-if)#ip nat inside
R1(config)#ip route  !DG for my laptop physical NIC
R1(config)#router eigrp 20
R1(config-router)#no auto-summary
R1(config-router)#redistribute static  !advertise route to the internet to all EIGRP neighbors
R1(config)#access-list 3 permit   !network where client resides
R1(config)#access-list 4 permit !asa outside network
R1(config)#access-list 5 permit   !asa inside network
R1(config)#ip nat inside source list 3 interface FastEthernet0/0 overload !nat rules
R1(config)#ip nat inside source list 4 interface FastEthernet0/0 overload
R1(config)#ip nat inside source list 5 interface FastEthernet0/0 overload

 R2 config

interface Serial1/0
ip address
interface FastEthernet0/0
ip address
router eigrp 20 
no auto-summary

ASA config

!interface to the internet

ciscoasa# config t
ciscoasa(config)# int g0
ciscoasa(config-if)# ip address
ciscoasa(config-if)# nameif outside

!interface to the inside network

ciscoasa# config t
ciscoasa(config)# int g1
ciscoasa(config-if)# ip address
ciscoasa(config-if)# nameif inside

!for asa,we must use real net mask,no wildcard mask
ciscoasa(config)# config t
ciscoasa(config)# router eigrp 20
ciscoasa(config-router)# network
ciscoasa(config-router)# network
ciscoasa(config-router)# no auto-summary

!create access lists to allow traffic from "inside" ( to the internet (any),unlike !CISCO router and switches,for ASA access lists we must use real network masks

ciscoasa(config)#access-list 102 extended permit icmp any echo
!echo reply comes from location we pinged (any) so we allowed ICMP reply from internet !(any) to our internal-"inside" network (
ciscoasa(config)#access-list 102 extended permit icmp any echo-reply
!apply this ACL to the traffic flowing from the inside network IN to the outside interface
ciscoasa(config)#access-group 102 in interface outside

IN and OUT directions can be confusing :),for better understanding go to

Alternativelly,we can use Modular Policy Framework (MPF) to enable ICMP traffic

A class map identifies traffic to which we want to apply actions (we created class map named icm-traffic-we can set any name we want):

ciscoasa(config)# class-map icmp-traffic

Default class map is called default-inspection-traffic.The “default_inspection_traffic” is all traffic that is predefined for various protocols,among them ICMP.

ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:
access-list                 Match an Access List
any                         Match any packet
default-inspection-traffic  Match default inspection traffic:
ctiqbe----tcp--2748      dns-------udp--53
ftp-------tcp--21        gtp-------udp--2123,3386
h323-h225-tcp--1720      h323-ras--udp--1718-1719
http------tcp--80        icmp------icmp
ils-------tcp--389       ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514       rtsp------tcp--554
sip-------tcp--5060      sip-------udp--5060
skinny----tcp--2000      smtp------tcp--25
sqlnet----tcp--1521      tftp------udp--69
waas------tcp--1-65535   xdmcp-----udp--177
dscp                        Match IP DSCP (DiffServ CodePoints)
flow                        Flow based Policy
port                        Match TCP/UDP port(s)
precedence                  Match IP precedence
rtp                         Match RTP port numbers
tunnel-group                Match a Tunnel Group

ciscoasa(config-cmap)# match default-inspection-traffic
ciscoasa(config-cmap)# exit

Associate actions with prevoiusly created class maps by creating a policy map named my-policy and inspect icmp traffic

ciscoasa(config)# policy-map my-policy
ciscoasa(config-pmap)# class icmp-traffic
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# inspect icmp error

Finally,assign policy map to outside interface

ciscoasa(config)# service-policy my-policy interface outside

To summarize:

class-map:identifies the traffic (icmp in our case,defined in default-inspection-traffic)

policy-map:action to take on traffic specified in class map (inspect icmp)

service-policy:where to apply actions specified in policy map (outside interface)

Enable icmp debugging on ASA:

ciscoasa# debug icmp trace
debug icmp trace enabled at level 1

Ping from the client and observer debugging output:


On R1,see NAT table:

R1#sh ip nat translations
Pro Inside global                          Inside local                      Outside local                Outside global

From the inside perspective,trafic is originated from the client
Configuring NAT in ASA firewall

Create object network for internal network ( named mynetwork:

ciscoasa(config)# object network mynetwork
ciscoasa(config-network-object)# subnet
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

Creates a NAT rule for traffic sourced from devices
from the inside ( to the outside,translate the source address of the inside networ and substitute the source address of the outside interface of the ASA ( again internet from client1 and observe nat translation table

Pro Inside global                          Inside local                      Outside local            Outside global


Traffic from client1 ( appears as if it’s from ASA server’s outside interface

  1. Thanks for the link back!


  2. Jairo Castro says:

    I don’t understand why I am unable to ping the outside interface from the router and vice-versa, I configured the policy and traffic inspection. 😦
    Any suggestion?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s