snowdog_2112
asked on
Cisco ASA - can't ping/trace icmp to IP in public IP block
IP block from ISP: x.y.z.32/28
ISP gateway: x.y.z.33
ASA outside: x.y.z.34
permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp
I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail
This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail
This fails on every IP in the block except the actual IP on the interface.
What am I missing?
ISP gateway: x.y.z.33
ASA outside: x.y.z.34
permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp
I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail
This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail
This fails on every IP in the block except the actual IP on the interface.
What am I missing?
maybe it's stupid question, but do you have a route setup?
ASKER
I don't follow what you mean.
I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.
I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.
Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.
The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.
I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.
Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.
The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
On ASA you can only ping from higher security level to lower security level, not vice versa.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no solution found.