ICMP type 3 code 4 frag. needed and DF set unreachabe

What steps are necessary to allow an ICMP type 3 code 4 from the inside of the firewall to the outside?

I am trying to test this by using packet tracer on the ASA and it fails on the last step saying the packet is dropped. (acl-drop) Flow is denied by configured rule.

I am inspecting ICMP already... Should I be inspecting icmp error?

Thanks
LVL 3
troubleshooter141Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
inspect icmp error AND the access-list from the inside to the outside and icmp-echo from the outside to the inside.
0
troubleshooter141Author Commented:
Ok so here is what I did....

asa# config t
asa(config)# class-map icmp-class
asa(config-cmap)# match default-inspection-traffic
asa(config-cmap)# exit
asa(config)# policy-map icmp_policy
asa(config-pmap)# class icmp-class
asa(config-pmap-c)# inspect icmp error
asa(config-pmap-c)# exit
asa(config-pmap)# service-policy icmp_policy interface outside
asa(config)# end
asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2

and the result was dropped... see test results:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
  match ip inside 10.16.10.0 255.255.255.0 outside any
    dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
    translate_hits = 309, untranslate_hits = 46
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.16.10.0 255.255.255.0
  match ip inside 10.16.10.0 255.255.255.0 outside any
    dynamic translation to pool 1 (192.168.1.72 [Interface PAT])
    translate_hits = 309, untranslate_hits = 46
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


See full config attached

Any ideas as to what I am missing? again I am testing with packet tracer to ensure icmp type 3 code 4 goes through. I am doing this from the command line with the follwing parameters asa# packet-tracer input inside icmp 10.16.10.100 3 4 4.2.2.2

Is this not correct?

Thanks
testASA.txt
0
Henk van AchterbergSr. Technical ConsultantCommented:
Can you please try with real hardware as packet tracer is sometimes not really reliable, especially with inspecting packets.

packet tracker can also not be used in combination with ipsec for example.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

troubleshooter141Author Commented:
Well I would but I am trying to find a way of generating icmp type 3 code 4 packets from my windows machine to an outside destination.

I don't think I can generate this from the windows ping utility. Do you know of any other applications I could do this with? or maybe a good way to simulate this?

packet tracer was the easiest way for me to do this.

Thanks
0
Henk van AchterbergSr. Technical ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
troubleshooter141Author Commented:
Well it turns out my test wasn't very good. The firewall was dropping the icmp packets because I was sending unreachable to a host that hadn't sent anything to me 1st. I am splitting the points.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.