Ping 192.168.1.1 -c 9999999 If you are in linux and it is not doing a continuous ping by default there is probably an alias for the ping command which is changing the way you envoke ping. Find where the ping command is using which ping then call the program from there and it should be continuous. /bin/ping 192.168.1.1. Asa-firewall# For each exclamation mark above there are 3 packets generated: SYN-packet from the ASA to the destination host. SYN-ACK-packet from the destination host back to the ASA. RST-packet from the ASA to the destination host. The ‘ping tcp’-command is a great way to generate outbound tcp-traffic to verify reachability to a foreign host!
The ASA Security Appliance, by default, blocks ICMP packets which includes PING. In the following post, I'll show you how to create an Access-Control List (ACL) which will permit ICMP traffic through the firewall from the inside to the outside.
In order for an ACL to have any effect, it must be applied to an interface or a function. In the following example, the ACL is designed to permit inside hosts to ping hosts on an outside network such as the public Internet. In the example shown, “101” is just a label for the list. It could just as easily be a descriptive name such as “permit_ping”. (ICMP stands for Internet Control Message Protocol, the protocol used by ping and some other network utilities.)
The first four lines in the following example identify and permit the traffic flows. The last line applies the list to inbound traffic on the outside interface. Note the use of the “access-group 101” statement which applies access-list 101 to the interface.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
The above access-control list permits several types of ICMP traffic in addition to ping packets. If you want to allow only ping packets, use the following commands:
![Asa Ping Command Asa Ping Command](/uploads/1/3/4/2/134201056/304822376.jpg)
access-list 101 permit icmp any any echo-reply
access-group 101 in interface outside
The above post is taken from my book Cisco ASA Security Appliance for Accidental Administrators, available in Kindle and paperback editions through Amazon and other resellers.
access-group 101 in interface outside
The above post is taken from my book Cisco ASA Security Appliance for Accidental Administrators, available in Kindle and paperback editions through Amazon and other resellers.
Sadly enough, sometimes network equipment goes out of order. This, of course, happens when you’re least expecting it. In most cases that I’ve come across throughout my work, this is what happens: Cisco ASA is unexpectedly powered down or reloaded (due to planned or unplanned power outage, thunderstorm or work with electric equipment), and after reload, the interfaces, VPN tunnels and other services don’t come back up. We’re not going to examine the situation in which the device cannot turn on entirely and all the LED indicators are dead – in that case, a replacement for the device is the only viable option. Let’s focus on the situation when the Cisco ASA device is still operable, but does not perform a full load – i.e. the Cisco IOS operating system image can’t load properly. In this case, there is still a chance to reanimate the device, at least until you get a new one for replacement.
The first thing we need to do is connect to the firewall through a console cable. If the firewall does not respond to any commands and produces no output on the console screen, then you’ve reached the worst-case scenario – you can thank the device for its long and fruitful service and put it on a shelf. However, if you are seeing some activity on the console screen, it’s not that bad and you can try to understand what’s going on. The firewall may have entered into the special ROMMON mode (under normal circumstances, this mode is activated by pressing the ESC key during boot-up) or is in a cyclic reload that happens as it tries to load the operating system image.
The special ROMMON mode looks something like this:
Use ? for help.
ROMMON #0>
Asa Ping Command Server
Once you’re in this mode, you should try to force the device to start by entering the system command “boot“:
ROMMON #0>boot
Cisco ASA will try to load the operating system image that is located on the internal Flash memory. I can tell you right now that, in my years of practice, this has worked only once, when I got lucky and the device booted normally. Most of the times if the firewall does not load on its own, then it will not be able to load from the boot command under ROMMON mode.
In this case, let’s remember how Cisco devices work:
The operating system is located on some kind of nonvolatile memory and is loaded into RAM once, upon device boot-up. After that, the operating system works until the next reload. Flash memory is the most commonly used nonvolatile memory for storing the Cisco IOS (most likely you’re reading this article because it’s what went out of order), but you always have the option to specify some external resource that stores the IOS you need to load – for example, a TFTP server.
The task of recovering your firewall will come down to:
The task of recovering your firewall will come down to:
Cisco Asa Ping Source
- installing a TFTP server on some workstation. Using a simple laptop will suffice.
- placing the relevant Cisco IOS on the TFTP server
- connecting one of the Cisco ASA interfaces directly to the workstation that has the TFTP server
- specifying that workstation as the IOS source and booting up the firewall with that image
In order to install TFTP server software, you simply need to download the install package, start the software, and copy the IOS image into the folder indicated in the software’s dialog box.
I suggest using the simple and free TFTPD. You can download it here.
The interface of the program is extremely straightforward and should not cause any difficulties.
I suggest using the simple and free TFTPD. You can download it here.
The interface of the program is extremely straightforward and should not cause any difficulties.
Asa Ping Command Server
Place the IOS file for your firewall into the C:Program FilesTftpd64 folder that is specified in the “Current Directory” field. It is strongly advised to use the same IOS that was on the device when it went out of order. Don’t use a newer version until you are sure that your firewall works fine.
Important!
Note how the TFTP server software interface works: if the IP address of the laptop’s NIC gets changed, the “Server interfaces” field will still hold the old information. Check this and reload the TFTP server program if the value in that field is incorrect. For our example, we will use the address 192.168.1.2
Next, we need to connect the laptop’s LAN interface to the Ethernet 0/0 interface of the firewall with a straight-through patch cord.
Inside the firewall’s console (ROMMON mode) enter the IP address (ADDRESS), port number (PORT), TFTP server address (SERVER) and the operating system image file (IMAGE) information.
Note how the TFTP server software interface works: if the IP address of the laptop’s NIC gets changed, the “Server interfaces” field will still hold the old information. Check this and reload the TFTP server program if the value in that field is incorrect. For our example, we will use the address 192.168.1.2
Next, we need to connect the laptop’s LAN interface to the Ethernet 0/0 interface of the firewall with a straight-through patch cord.
Inside the firewall’s console (ROMMON mode) enter the IP address (ADDRESS), port number (PORT), TFTP server address (SERVER) and the operating system image file (IMAGE) information.
Important!
When entering the commands in ROMMON mode, you have to enter them in full – no abbreviations or short versions are available.
Important!
In this example the Cisco ASA firewall and the laptop with TFTP server software are directly connected to each other, so there is no need to specify the default gateway. However, if the corporate network is available, you can install the TFTP server on any network workstation and specify the default gateway (GATEWAY) and/or VLAN tag (VLAN) parameters in Cisco ASA‘s ROMMON:
When entering the commands in ROMMON mode, you have to enter them in full – no abbreviations or short versions are available.
rommon #1> ADDRESS=192.168.1.1
rommon #2> PORT=Ethernet0/0
rommon #3> SERVER=192.168.1.2
rommon #4> IMAGE=asa803-k8.bin
Important!
In this example the Cisco ASA firewall and the laptop with TFTP server software are directly connected to each other, so there is no need to specify the default gateway. However, if the corporate network is available, you can install the TFTP server on any network workstation and specify the default gateway (GATEWAY) and/or VLAN tag (VLAN) parameters in Cisco ASA‘s ROMMON:
rommon #5> GATEWAY=Х.Х.Х.Х
rommon #6> VLAN=Y
Asa Ping Command Prompt
Enter the IP address for the default gateway of your network instead of X.X.X.X. Enter the VLAN tag for your VLAN instead of Y.
You can check the values that you entered using the “set” command:
You can check the values that you entered using the “set” command:
rommon #7> set
The availability of the TFTP server is checked with the “ping server” command:
rommon #8> ping server
Once you’ve ensured that the workstation with TFTP server software and Cisco ASA firewall are connected and configured correctly, enter the command “tftp” to start the process of loading the IOS:
rommon #8> tftp
Important!
Even if your device loads successfully, I still suggest that you work on finding a replacement, since its reliability is now questionable.
To emphasize one more time: this article describes an emergency recovery of a Cisco ASA device and the success of the procedure depends on how badly the device’s components are damaged. Everything laid out in this article will 100% work if the hardware is intact.
This article was written by Alexey Yurchenko
Even if your device loads successfully, I still suggest that you work on finding a replacement, since its reliability is now questionable.
To emphasize one more time: this article describes an emergency recovery of a Cisco ASA device and the success of the procedure depends on how badly the device’s components are damaged. Everything laid out in this article will 100% work if the hardware is intact.
This article was written by Alexey Yurchenko