Add custom ASAv config to allow inside-to-outside pings

ipspace · ipspace · commit 07a6f7d44fd8 · 2024-12-16T18:21:51.000+01:00
diff --git a/multi-platform/asav/acl.j2 b/multi-platform/asav/acl.j2
@@ -0,0 +1,13 @@
+!
+interface GigabitEthernet0/0
+ security-level 100
+!
+access-list ALLOW_INTERNAL extended permit ip 172.16.0.0 255.255.0.0 any log 
+!
+logging monitor debugging
+!
+access-group ALLOW_INTERNAL in interface GigabitEthernet0/0
+!
+policy-map global_policy
+ class inspection_default
+  inspect icmp 
diff --git a/multi-platform/asav/config/fw.cfg b/multi-platform/asav/config/fw.cfg
@@ -1,7 +1,7 @@
 : Saved
 
 : 
-: Serial Number: 9AFH30Q99A3
+: Serial Number: 9A1GJWWR10F
 : Hardware:   ASAv, 2048 MB RAM, CPU Xeon 4100/6100/8100 series 2500 MHz
 :
 ASA Version 9.16(4)57 
@@ -20,7 +20,7 @@ no mac-address auto
 interface GigabitEthernet0/0
  description fw -> int [external]
  nameif GigabitEthernet0/0
- security-level 0
+ security-level 100
  ip address 172.16.1.1 255.255.255.0 
 !
 interface GigabitEthernet0/1
@@ -38,9 +38,11 @@ interface Management0/0
 ftp mode passive
 dns server-group DefaultDNS
  domain-name lab.local
+access-list ALLOW_INTERNAL extended permit ip 172.16.0.0 255.255.0.0 any log 
 pager lines 23
-mtu inside 1500
-mtu outside 1500
+logging monitor debugging
+mtu GigabitEthernet0/0 1500
+mtu GigabitEthernet0/1 1500
 mtu management 1500
 no failover
 no failover wait-disable
@@ -50,6 +52,7 @@ no asdm history enable
 arp timeout 14400
 no arp permit-nonconnected
 arp rate-limit 8192
+access-group ALLOW_INTERNAL in interface GigabitEthernet0/0
 router bgp 65000
  bgp log-neighbor-changes
  bgp router-id 10.0.0.1
@@ -233,6 +236,7 @@ policy-map global_policy
   inspect sqlnet 
   inspect sip  
   inspect skinny 
+  inspect icmp 
 policy-map type inspect dns migrated_dns_map_2
  parameters
   message-length maximum client auto
@@ -261,5 +265,5 @@ call-home
  profile License
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   destination transport-method http
-Cryptochecksum:177ef40ec20b04cf3290eb46285d28d1
+Cryptochecksum:ebb3cddc78118910421126ac82742707
 : end
diff --git a/multi-platform/asav/topology.yml b/multi-platform/asav/topology.yml
@@ -1,4 +1,4 @@
-message: >
+message: |
   This topology contains a simple ASAv deployment scenario. ASAv is a WAN
   edge firewall. The wan edge router router is advertising the default BGP route
   that ASAv should propagate to the inside routers.
@@ -21,6 +21,7 @@ nodes:
   fw:
     device: asav
     bgp.as: 65000
+    config: [ acl ]
   int:
     bgp.as: 65001
   ext:
