CISCO ASA( Adaptive Security Appliance)

Hi Rene/Laz,

When I am creating policy like you did for ICMP inspection facing error like given below ::

ERROR: % class map inspection_default not configured
Is anything else we need to configure ?

Hi Rene/Laz,

In ASA 5506 software 9.6, all NAT features not available b/c i am doing same same dynamic nat configuration as done by you but inside nat calling a object feature not showing afternat (inside,outside) dynamic ?

Same range feature for network not appear in object group ?

Per-session - Multi Session NAT

Q) what is the mean of NAT enabled at level 255 ?

Hello Pradyumna

Take a look at this Cisco Community thread:

There are many features, options, and commands that change as the ASA versions change. A major change occurred between ASA 8.2 and 8.3 and the way configurations are implemented, especially for NAT, were modified. The following link specifies these changes.

Available commands for other versions change over time as well. These are documented in Cisco’s ASA command references.

When you debug NAT, you specify the level of debug you want.

myASA# debug nat ?

  <1-255>  Specify an optional debug level (default is 1)
myASA# debug nat

The levels range from 1 to 255. Typically we choose 255 to see all available information.

I hope this has been helpful!


1 Like

Hi laz,

Could you write down the access-list commands to necessary to permit the ICMP while pinging from Inside to Outside, Inside to DMZ, DMZ to inside, DMZ to outside , Outside to DMZ and Outside to Inside ? I have write down few commands for permitting Inside to DMZ and Inside to Outside Or DMZ to outside but still not permitted or we can say not pinging ? Kindly suggest.

access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-group OUTSIDE_IN in interface outside


access-list DMZ_IN extended permit icmp any any echo-reply
access-group DMZ_IN in interface DMZ

Hello Pradyumna

The above access lists look correct. If this isn’t working, then there may be other configurations that are blocking it. I suggest you do some debugging to see what is being blocked and why. You can do so by issuing the debug icmp trace command.

You can also take a look at this lesson which describes how to implement access lists to allow specific traffic to go from a lower security level to a higher security level.

I hope this has been helpful!


A post was merged into an existing topic: Cisco ASA VPN Filter