Cisco ASA 5506-X Configuration Manual page 291

Chapter 13 Troubleshooting Connections and Resources
hostname(config)# icmp permit 0.0.0.0 0.0.0.0 echo inside
hostname(config)# icmp permit 0.0.0.0 0.0.0.0 echo-reply inside
Ensure access rules allow ICMP.
Step 2
When pinging a host through an ASA, access rules must allow ICMP traffic to leave and return. The
access rule must at least allow Echo Request/Echo Reply ICMP packets. You can add these rules as
global rules.
Assuming you already have access rules applied to interfaces or applied globally, simply add these rules
to the relevant ACL, for example:
hostname(config)# access-list outside_access_in extended permit icmp any any echo
hostname(config)# access-list outside_access_in extended permit icmp any any echo-reply
Alternatively, just allow all ICMP:
hostname(config)# access-list outside_access_in extended permit icmp any any
If you do not have access rules, you will need to also allow the other type of traffic you want, because
applying any access rules to an interface adds an implicit deny, so all other traffic will be dropped. Use
the access-group command to apply the ACL to an interface or globally.
If you are simply adding the rule for testing purposes, you can use the no form of the access-list
command to remove the rule from the ACL. If the entire ACL is simply for testing purposes, use the no
access-group command to remove the ACL from the interface.
Enable ICMP inspection.
Step 3
ICMP inspection is needed when pinging through the ASA, as opposed to pinging an interface.
Inspection allows returning traffic (that is, the Echo Reply packet) to return to the host that initiated the
ping, and also ensures there is one response per packet, which prevents certain types of attack.
You can simply enable ICMP inspection in the default global inspection policy.
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect icmp
Ping Hosts
To ping any device, you simply enter ping with the IP address or host name, such as ping 10.1.1.1 or
ping www.example.com. For TCP ping, you include the tcp keyword and the destination port, such as
ping tcp www.example.com 80. That is usually the extent of any test you need to run.
Example output for a successful ping:
Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If the ping fails, the output indicates ? for each failed attempt, and the success rate is less than 100
percent (complete failure is 0 percent):
Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
However, you can also add parameters to control some aspects of the ping. Following are your basic
options:
Cisco ASA Series Firewall CLI Configuration Guide
Testing Your Configuration
13-3