asked on

ICMP type 3 code 4 frag. needed and DF set unreachabe

What steps are necessary to allow an ICMP type 3 code 4 from the inside of the firewall to the outside?

I am trying to test this by using packet tracer on the ASA and it fails on the last step saying the packet is dropped. (acl-drop) Flow is denied by configured rule.

I am inspecting ICMP already... Should I be inspecting icmp error?

Thanks

SOLUTION

Henk van Achterberg

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

troubleshooter141

ASKER

Ok so here is what I did....

asa# config t
asa(config)# class-map icmp-class
asa(config-cmap)# match default-inspection-traffic
asa(config-cmap)# exit
asa(config)# policy-map icmp_policy
asa(config-pmap)# class icmp-class
asa(config-pmap-c)# inspect icmp error
asa(config-pmap-c)# exit
asa(config-pmap)# service-policy icmp_policy interface outside
asa(config)# end
asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2

and the result was dropped... see test results:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
match ip inside 10.16.10.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
translate_hits = 309, untranslate_hits = 46
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
match ip inside 10.16.10.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
translate_hits = 309, untranslate_hits = 46
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

See full config attached

Any ideas as to what I am missing? again I am testing with packet tracer to ensure icmp type 3 code 4 goes through. I am doing this from the command line with the follwing parameters asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2

Is this not correct?

Thanks
testASA.txt

Henk van Achterberg

Can you please try with real hardware as packet tracer is sometimes not really reliable, especially with inspecting packets.

packet tracker can also not be used in combination with ipsec for example.

troubleshooter141

ASKER

Well I would but I am trying to find a way of generating icmp type 3 code 4 packets from my windows machine to an outside destination.

I don't think I can generate this from the windows ping utility. Do you know of any other applications I could do this with? or maybe a good way to simulate this?

packet tracer was the easiest way for me to do this.

Thanks

ASKER CERTIFIED SOLUTION

Henk van Achterberg

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

troubleshooter141

ASKER

Well it turns out my test wasn't very good. The firewall was dropping the icmp packets because I was sending unreachable to a host that hadn't sent anything to me 1st. I am splitting the points.

Thanks