Solved

ASA allowing/dropping ICMP unreachable?

Posted on 2013-10-23
3
740 Views
Last Modified: 2013-10-24
I am tracking down an issue where a router need o fragment a packet but the DF is set. The router sends an ICMP unreachable message need to fragment but df set. I created a capture on the ASA firewall to see if the ICMP packed it alloed through or dropped.

Capture capin int inside match icmp any any
Capture capout outside match icmp any any


the following is captured and displayed when I do a show capture capin:

1871: 23:01:20.632306       172.25.251.46 > 91.216.63.241: icmp: 172.12.18.218 unreachable - need to frag (mtu 1420)

How can I see if the Firewall is allowing this ICMP or dropping it? I would like to know what is happening with it.

Thanks
0
Comment
Question by:troubleshooter141
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Accepted Solution

by:
fgasimzade earned 250 total points
ID: 39596425
You can just check the logs in ASDM
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 250 total points
ID: 39597370
packet-tracer input inside icmp 172.12.18.218 8 0 91.216.63.241 detailed

Then check the result of each phase if dropped or allowed
eg

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: sonicnet
output-status: up
output-line-status: up
Action: allow
0
 
LVL 3

Author Closing Comment

by:troubleshooter141
ID: 39597916
Thank you. I ended up creating a capture filter for dropped ASP and this gave me what I needed.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question