Link to home
Start Free TrialLog in
Avatar of snowdog_2112
snowdog_2112Flag for United States of America

asked on

Cisco ASA - can't ping/trace icmp to IP in public IP block

IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
Avatar of tadeystas
tadeystas
Flag of United States of America image
maybe it's stupid question, but do you have a route setup?
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image

ASKER

I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
Avatar of tadeystas
tadeystas
Flag of United States of America image
On ASA you can only ping from higher security level to lower security level, not vice versa.
ASKER CERTIFIED SOLUTION
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image

ASKER

no solution found.