Solved

ASA allowing/dropping ICMP unreachable?

Posted on 2013-10-23
3
728 Views
Last Modified: 2013-10-24
I am tracking down an issue where a router need o fragment a packet but the DF is set. The router sends an ICMP unreachable message need to fragment but df set. I created a capture on the ASA firewall to see if the ICMP packed it alloed through or dropped.

Capture capin int inside match icmp any any
Capture capout outside match icmp any any


the following is captured and displayed when I do a show capture capin:

1871: 23:01:20.632306       172.25.251.46 > 91.216.63.241: icmp: 172.12.18.218 unreachable - need to frag (mtu 1420)

How can I see if the Firewall is allowing this ICMP or dropping it? I would like to know what is happening with it.

Thanks
0
Comment
Question by:troubleshooter141
3 Comments
 
LVL 18

Accepted Solution

by:
fgasimzade earned 250 total points
ID: 39596425
You can just check the logs in ASDM
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 39597370
packet-tracer input inside icmp 172.12.18.218 8 0 91.216.63.241 detailed

Then check the result of each phase if dropped or allowed
eg

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: sonicnet
output-status: up
output-line-status: up
Action: allow
0
 
LVL 3

Author Closing Comment

by:troubleshooter141
ID: 39597916
Thank you. I ended up creating a capture filter for dropped ASP and this gave me what I needed.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outbound Connection to known malware 4 41
how to remove .wallet ransomware 8 95
Non admin needs to install programs 17 35
Home Router DHCP query 9 26
Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question