asked on Cisco ASA - can't ping/trace icmp to IP in public IP block
IP block from ISP: x.y.z.32/28
ISP gateway: x.y.z.33
ASA outside: x.y.z.34
permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp
I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail
This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail
This fails on every IP in the block except the actual IP on the interface.
What am I missing?
ISP gateway: x.y.z.33
ASA outside: x.y.z.34
permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp
I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail
This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail
This fails on every IP in the block except the actual IP on the interface.
What am I missing?
Cisco
Last Comment
snowdog_2112
maybe it's stupid question, but do you have a route setup?
ASKER
I don't follow what you mean.
I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.
I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.
Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.
The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.
I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.
Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.
The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
On ASA you can only ping from higher security level to lower security level, not vice versa.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
no solution found.