Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA - can't ping/trace icmp to IP in public IP block

Posted on 2014-11-17
5
Medium Priority
?
442 Views
Last Modified: 2015-01-12
IP block from ISP: x.y.z.32/28

ISP gateway: x.y.z.33
ASA outside: x.y.z.34

permit icmp any outside
access-list in.outside permit icmp any any
global policy: inspect icmp

I can do the following:
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.34 detail

This, however, "DROP" by implicit rule - which goes to the implicit "deny any any""
packet-tracer input outside icmp 4.4.2.2 8 0 x.y.z.40 detail

This fails on every IP in the block except the actual IP on the interface.

What am I missing?
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Expert Comment

by:tadeystas
ID: 40448557
maybe it's stupid question, but do you have a route setup?
0
 

Author Comment

by:snowdog_2112
ID: 40448669
I don't follow what you mean.

I'm running a packet-tracer on the ASA itself, using one of the IP's in the assigned block.

I can't ping the IP from a remote system - which is why I'm testing the packet-tracer in the first place.

Routing is functioning to the entire subnet, as I have a "static (inside,outside) tcp x.y.z.45 3389 192.168.1.35 3389 netmask 255.255.255.255" which is also working.

The question is why the icmp is dropped with implicit ACL when I have an *explicit* permit icmp any any in the access list on the interface.
0
 

Expert Comment

by:tadeystas
ID: 40450864
On ASA you can only ping from higher security level to lower security level, not vice versa.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40453388
More info: this is *not* the only outside facing interface, and it's also not the default route.  I *do* have a /28 route on the remote side to this block.

I am trying to ping from an Internet IP *not in my subnet* to several IP's which are in my subnet.

I can ping the ISP gateway, but not the IP on the outside interface, nor any of the other IP's which are part of my block - some of which I have tcp mappings defined (e.g., static (inside,outside) tcp x.y.z.45 3389 192.168.1.45 3389) so I can't add a 1-to-1 - which would theoretically send the ping to the INSIDE host, not the ASA itself.

Do I need a reciprocating route on this side via this non-default interface to the remote network?   Even if that were true, the packet-tracer shows the incoming icmp "drop" due to implicit rule, not that it is receiving the ping on this interface and replying via the default gateway interface.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40544013
no solution found.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question