topic Re: Routing failed to locate next hop for ICMP Firewall in Network Security

Routing failed to locate next hop for ICMP Firewall

benolyndav — Fri, 21 Feb 2020 16:19:28 GMT

Please see attached document cant ping through firewall in DMZ with two ASA's

Thanks

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 18:39:06 GMT

Hi,
Ping/ICMP is blocked on ASA by default. Try this:-

ASA(config)# policy-map global_policy
ASA(config-pmap)# class default-inspection-class
ASA(config-pmap-c)# inspect icmp
or

ASA(config)# fixup protocol icmp

HTH

Re: Routing failed to locate next hop for ICMP Firewall

benolyndav — Thu, 04 Oct 2018 18:50:42 GMT

Already added to both Firewalls, any more ideas.??

Thanks

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 19:00:05 GMT

Without seeing your configuration of all devices it's a bit hard. You said you cannot ping beyond .2 - do the devices beyond .2 have a route back to the source network you were pinging from? Are you natting anywhere?

Re: Routing failed to locate next hop for ICMP Firewall

benolyndav — Thu, 04 Oct 2018 19:12:24 GMT

No nat, I can ping from the outside interface of the inside firewall =.2 to the internet facing firewall inside interface =.1 these are on same subnet connected to 3850, but i cannot ping from inside firewall beyond .2 of internet firewall, and i cannot ping from internet facing firewall .2 through to public address on outside interface of internet facing firewall, i have a default route poing outside interface any any, when i try putting a route on inside firewall pointing to .2 it says its a connected interface. what routes are needed and where please.?? could it be because the firewalls have an interface in same subnet.??

Thanks

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 19:17:10 GMT

Can you provide the full configuration of the firewalls and switches, indicating which firewall and switch relates to what in the diagram? Thanks

Re: Routing failed to locate next hop for ICMP Firewall

benolyndav — Thu, 04 Oct 2018 19:35:51 GMT

I cant provide config yet but have done another doc see attachment.

Thanks

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 20:20:54 GMT

Ok, if you are pinging the internet from 172.20.57.2 and it fails, it would if you don't have nat configured. You'd need to nat traffic on the inside of the firewall behind the outside interface.

Re: Routing failed to locate next hop for ICMP Firewall

benolyndav — Thu, 04 Oct 2018 20:30:38 GMT

Hi Thanks for that,

so nat inside traffic to outside interface, any thoughts on traffic coming from inside firewall 172.20.57.1 to internet because that also fails.??

Thanks

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 20:41:15 GMT

You would nat all networks (all networks that need to route through the internet firewall to access the internet) behind the internet firewall's outside interface, that would enable internet access.

You need to ensure that the internet firewall has routes to the other networks and the inside firewall has a default route to the internet firewall. e.g route outside 0 0 172.20.57.2

HTH

Re: Routing failed to locate next hop for ICMP Firewall

benolyndav — Thu, 04 Oct 2018 20:46:00 GMT

Its not letting me add this route outside 0 0 172.20.57.2 it says its a connected network.??

Re: Routing failed to locate next hop for ICMP Firewall

Rob Ingram — Thu, 04 Oct 2018 20:58:35 GMT

Well the next hop IP address needs to be connected, I don't see why you'd get this error. Can you provide the full configuration and a screenshot of the exact error when you add this to the inside firewall.