Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA - can't ping/trace icmp to IP in public IP block

Posted on 2014-11-17
5
Medium Priority
?
467 Views
Last Modified: 2015-01-12
IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
0
Comment
Question by:snowdog_2112
  • 3
  • 2
5 Comments
 

Expert Comment

by:tadeystas
ID: 40448557
maybe it's stupid question, but do you have a route setup?
0
 

Author Comment

by:snowdog_2112
ID: 40448669
I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
0
 

Expert Comment

by:tadeystas
ID: 40450864
On ASA you can only ping from higher security level to lower security level, not vice versa.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40453388
More info: this is *not* the only outside facing interface, and it's also not the default route.  I *do* have a /28 route on the remote side to this block.

I am trying to ping from an Internet IP *not in my subnet* to several IP's which are in my subnet.

I can ping the ISP gateway, but not the IP on the outside interface, nor any of the other IP's which are part of my block - some of which I have tcp mappings defined (e.g., static (inside,outside) tcp x.y.z.45 3389 192.168.1.45 3389) so I can't add a 1-to-1 - which would theoretically send the ping to the INSIDE host, not the ASA itself.

Do I need a reciprocating route on this side via this non-default interface to the remote network?   Even if that were true, the packet-tracer shows the incoming icmp "drop" due to implicit rule, not that it is receiving the ping on this interface and replying via the default gateway interface.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40544013
no solution found.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question