Solved

Cisco ASA - can't ping/trace icmp to IP in public IP block

Posted on 2014-11-17
5
370 Views
Last Modified: 2015-01-12
IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Expert Comment

by:tadeystas
ID: 40448557
maybe it's stupid question, but do you have a route setup?
0
 

Author Comment

by:snowdog_2112
ID: 40448669
I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
0
 

Expert Comment

by:tadeystas
ID: 40450864
On ASA you can only ping from higher security level to lower security level, not vice versa.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40453388
More info: this is *not* the only outside facing interface, and it's also not the default route.  I *do* have a /28 route on the remote side to this block.

I am trying to ping from an Internet IP *not in my subnet* to several IP's which are in my subnet.

I can ping the ISP gateway, but not the IP on the outside interface, nor any of the other IP's which are part of my block - some of which I have tcp mappings defined (e.g., static (inside,outside) tcp x.y.z.45 3389 192.168.1.45 3389) so I can't add a 1-to-1 - which would theoretically send the ping to the INSIDE host, not the ASA itself.

Do I need a reciprocating route on this side via this non-default interface to the remote network?   Even if that were true, the packet-tracer shows the incoming icmp "drop" due to implicit rule, not that it is receiving the ping on this interface and replying via the default gateway interface.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40544013
no solution found.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question