troubleshooter141
asked on
ICMP type 3 code 4 frag. needed and DF set unreachabe
What steps are necessary to allow an ICMP type 3 code 4 from the inside of the firewall to the outside?
I am trying to test this by using packet tracer on the ASA and it fails on the last step saying the packet is dropped. (acl-drop) Flow is denied by configured rule.
I am inspecting ICMP already... Should I be inspecting icmp error?
Thanks
I am trying to test this by using packet tracer on the ASA and it fails on the last step saying the packet is dropped. (acl-drop) Flow is denied by configured rule.
I am inspecting ICMP already... Should I be inspecting icmp error?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you please try with real hardware as packet tracer is sometimes not really reliable, especially with inspecting packets.
packet tracker can also not be used in combination with ipsec for example.
packet tracker can also not be used in combination with ipsec for example.
ASKER
Well I would but I am trying to find a way of generating icmp type 3 code 4 packets from my windows machine to an outside destination.
I don't think I can generate this from the windows ping utility. Do you know of any other applications I could do this with? or maybe a good way to simulate this?
packet tracer was the easiest way for me to do this.
Thanks
I don't think I can generate this from the windows ping utility. Do you know of any other applications I could do this with? or maybe a good way to simulate this?
packet tracer was the easiest way for me to do this.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well it turns out my test wasn't very good. The firewall was dropping the icmp packets because I was sending unreachable to a host that hadn't sent anything to me 1st. I am splitting the points.
Thanks
Thanks
ASKER
asa# config t
asa(config)# class-map icmp-class
asa(config-cmap)# match default-inspection-traffic
asa(config-cmap)# exit
asa(config)# policy-map icmp_policy
asa(config-pmap)# class icmp-class
asa(config-pmap-c)# inspect icmp error
asa(config-pmap-c)# exit
asa(config-pmap)# service-policy icmp_policy interface outside
asa(config)# end
asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2
and the result was dropped... see test results:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
match ip inside 10.16.10.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
translate_hits = 309, untranslate_hits = 46
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
match ip inside 10.16.10.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
translate_hits = 309, untranslate_hits = 46
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
See full config attached
Any ideas as to what I am missing? again I am testing with packet tracer to ensure icmp type 3 code 4 goes through. I am doing this from the command line with the follwing parameters asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2
Is this not correct?
Thanks
testASA.txt