Solved

Cisco ASA - can't ping/trace icmp to IP in public IP block

Posted on 2014-11-17
5
329 Views
Last Modified: 2015-01-12
IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
0
Comment
Question by:snowdog_2112
  • 3
  • 2
5 Comments
 

Expert Comment

by:tadeystas
ID: 40448557
maybe it's stupid question, but do you have a route setup?
0
 

Author Comment

by:snowdog_2112
ID: 40448669
I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
0
 

Expert Comment

by:tadeystas
ID: 40450864
On ASA you can only ping from higher security level to lower security level, not vice versa.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40453388
More info: this is *not* the only outside facing interface, and it's also not the default route.  I *do* have a /28 route on the remote side to this block.

I am trying to ping from an Internet IP *not in my subnet* to several IP's which are in my subnet.

I can ping the ISP gateway, but not the IP on the outside interface, nor any of the other IP's which are part of my block - some of which I have tcp mappings defined (e.g., static (inside,outside) tcp x.y.z.45 3389 192.168.1.45 3389) so I can't add a 1-to-1 - which would theoretically send the ping to the INSIDE host, not the ASA itself.

Do I need a reciprocating route on this side via this non-default interface to the remote network?   Even if that were true, the packet-tracer shows the incoming icmp "drop" due to implicit rule, not that it is receiving the ping on this interface and replying via the default gateway interface.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40544013
no solution found.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now