Hi All,This is a very common question I always get during bootcamps and see it on many forums. Does ASA support ‘source interface’ for ping?
How do you allow ICMP Echo Requests on a Cisco ASA 55xx Router? How do I configure the router to allow ICMP Echo Requests? Are there other types of ICMP requests that should be allowed? What are the potential downsides of allowing them all? Have an access-group fromoutside on interface outside and that you want to allow icmp echo on.
The answer is it depends on software and also depends on what you want to achieve.Why ASA does not support it? Because the ASA is a security device and it shouldn’t be used to discover other hosts on the network. For the same reason there is no TELNET/SSH client on the ASA.I assume that most people need ping ‘source’ option to trigger LAN-to-LAN VPN tunnel from ASA side.
There seems to be a lot of talk about setting up the cisco ASA with inside & outside interface. What if the the outside network of your infrastructure is already being manage by another firewall/router, then there is no need for an outside interface.I would like to config the ASA with just an internal interface connecting to my internal network. External traffic coming into my ASA for SSL VPN/IPsec Remote Access will be routed via the existing network in place. The only other interface that will be used are for HA stateful/Failover.Is there any issue with this concept? I am replacing a Juniper SA 4500 with ASA 5540 which only uses 1 interface (internal)Your responses would be much appreciated. Hello Ricardo,This is not an easy one, since we do not have / handle all the details about your network infrastucture.Nevertheless, let me share my thoughts:The ASA is supposed to be an inband device, where it has an inside and outside interface. The reason behind this is to protect your assets, since by default, any connection originated from the outside to the inside is not allowed, only from inside-outside.
So, what you can do is to connect the 'outside' interface of the ASA to the Firewall/Router you mentioned above and the 'inside' interface to the local network.So VPN connections will be landed on the outside interface and the protected networks will be connected to the inside, only reachable through a VPN connection. Let's keep in mind that traffic from outside-inside from a established VPN connection is allowed by default 'sysopt connection permit-vpn'.HTH.- Javier. Javier,Thanks for your prompt response.Your right and this was my inital plan but i also I wanted to keep the exiting setup as the Juniper SA with just one interface (inside or outside) which is connecting to a switch which connects to a Firewall. A second interface (inside or outside) would be useless (possible) because as traffic comes in from the the outside it goes through the firewall-DMZroutes to Juniper SA via switch L3 Vlan, routes back out the same interface to the Firewall-DMZ to the internal network. (Hope that makes sense, I am unable to provide any config as this is a classified network)The question I really wanted answering is whether this setup would be possible (even though its not the recommended design) and if there would be any configuration issues.Thanks in advance.