• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 781
  • Last Modified:

ASA allowing/dropping ICMP unreachable?

I am tracking down an issue where a router need o fragment a packet but the DF is set. The router sends an ICMP unreachable message need to fragment but df set. I created a capture on the ASA firewall to see if the ICMP packed it alloed through or dropped.

Capture capin int inside match icmp any any
Capture capout outside match icmp any any


the following is captured and displayed when I do a show capture capin:

1871: 23:01:20.632306       172.25.251.46 > 91.216.63.241: icmp: 172.12.18.218 unreachable - need to frag (mtu 1420)

How can I see if the Firewall is allowing this ICMP or dropping it? I would like to know what is happening with it.

Thanks
0
troubleshooter141
Asked:
troubleshooter141
2 Solutions
 
fgasimzadeCommented:
You can just check the logs in ASDM
0
 
AkinsdNetwork AdministratorCommented:
packet-tracer input inside icmp 172.12.18.218 8 0 91.216.63.241 detailed

Then check the result of each phase if dropped or allowed
eg

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: sonicnet
output-status: up
output-line-status: up
Action: allow
0
 
troubleshooter141Author Commented:
Thank you. I ended up creating a capture filter for dropped ASP and this gave me what I needed.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now