CISCO ASA( Adaptive Security Appliance)

Hi Rene/Laz,

When I am creating policy like you did for ICMP inspection facing error like given below ::

ERROR: % class map inspection_default not configured
Is anything else we need to configure ?

Hi Rene/Laz,

In ASA 5506 software 9.6, all NAT features not available b/c i am doing same same dynamic nat configuration as done by you but inside nat calling a object feature not showing afternat (inside,outside) dynamic ?

Same range feature for network not appear in object group ?

Per-session - Multi Session NAT

Q) what is the mean of NAT enabled at level 255 ?

Hello Pradyumna

Take a look at this Cisco Community thread:

There are many features, options, and commands that change as the ASA versions change. A major change occurred between ASA 8.2 and 8.3 and the way configurations are implemented, especially for NAT, were modified. The following link specifies these changes.

Available commands for other versions change over time as well. These are documented in Cisco’s ASA command references.

When you debug NAT, you specify the level of debug you want.

myASA# debug nat ?

  <1-255>  Specify an optional debug level (default is 1)
myASA# debug nat

The levels range from 1 to 255. Typically we choose 255 to see all available information.

I hope this has been helpful!


1 Like

Hi laz,

Could you write down the access-list commands to necessary to permit the ICMP while pinging from Inside to Outside, Inside to DMZ, DMZ to inside, DMZ to outside , Outside to DMZ and Outside to Inside ? I have write down few commands for permitting Inside to DMZ and Inside to Outside Or DMZ to outside but still not permitted or we can say not pinging ? Kindly suggest.

access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-group OUTSIDE_IN in interface outside


access-list DMZ_IN extended permit icmp any any echo-reply
access-group DMZ_IN in interface DMZ

Hello Pradyumna

The above access lists look correct. If this isn’t working, then there may be other configurations that are blocking it. I suggest you do some debugging to see what is being blocked and why. You can do so by issuing the debug icmp trace command.

You can also take a look at this lesson which describes how to implement access lists to allow specific traffic to go from a lower security level to a higher security level.

I hope this has been helpful!


A post was merged into an existing topic: Cisco ASA VPN Filter

Hi Rene and staff,

may i come back to this previous post ?
ERROR: % class map inspection_default not configured

First you should know i am clear with the 3 concepts class-map, policy-map, service-policy
I would recommand this video

from Tony BOURKE, which in my opinion, is the best to be clear with these concepts

So what is my problem ?
I lab with ASA 8.4 and there was no class inspection_default predefined
So create it in general config !

class-map inspection_default
match default-inspection-traffic


What does do this command ?
I though it add the listed protocols above to the inspection engine: so, from there, ftp is inspected, tftp is inspected, etc…

Then i have to add class inspection_default to policy-map global_policy
policy-map global_policy
class inspection_default
and then to set service-policy: service-policy global_policy global

But when i edit show run policy-map
none of the protocols listed in default-inspection-traffic are inspected !!
To work, I had to set them again under policy-map: inspect ftp, inspect tftp, etc…
So, I dont understand how it works
Could you clarify ?

Hello Dominique

I did a bit of experimentation with my ASA and I found that initially, by default, when the ASA comes out of the box, the class-map inspection_default is configured with the appropriate default inspection parameters. If you delete that and recreate it using the commands you used, the class map will be created but the inspection policies for the protocols are no longer listed. This will recreate the default entity, but it will not actually create the inspection rules. In order to do this, you must add an additional command like so:

myASA# conf t
myASA(config)# class inspection_default
myASA(config-cmap)# match default-inspection-traffic
myASA(config-cmap)# clear config fixup

After this, if you take a look at the running-config you will see the class-map inspection rules will have returned.

I hope this has been helpful!