Link to home
Create AccountLog in
Avatar of snowdog_2112
snowdog_2112Flag for United States of America

asked on

Cisco ASA - can't ping/trace icmp to IP in public IP block

IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
Avatar of tadeystas
tadeystas
Flag of United States of America image

maybe it's stupid question, but do you have a route setup?
Avatar of snowdog_2112

ASKER

I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
On ASA you can only ping from higher security level to lower security level, not vice versa.
ASKER CERTIFIED SOLUTION
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
no solution found.