topic Re: ASA5515 - deny ICMP dst outside in Network Security

ASA5515 - deny ICMP dst outside

NetAdmin2 — Fri, 12 Feb 2021 18:16:23 GMT

I get an error some in a while about Google DNS:

%ASA-4-117145: 
Deny icmp src Z245:172.23.123.67 dst OUTSIDE:8.8.8.8 
(type 3, code 3) by access-group "Z245_access_in"

I'm trying to understand it, but my mind is frozen.

I have to permit icmp for Z245_access_in ? to get to Google DNS ?

How the command should be ?

Thank you.

Re: ASA5515 - deny ICMP dst outside

MHM Cisco World — Fri, 12 Feb 2021 20:07:39 GMT

ICMP port unreachable this is the meaning for this code,
can I see the NAT and ACL for this connection ?

Re: ASA5515 - deny ICMP dst outside

Marvin Rhoads — Sat, 13 Feb 2021 06:14:10 GMT

The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.

If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.

Re: ASA5515 - deny ICMP dst outside

Sheraz.Salim — Sat, 13 Feb 2021 15:12:16 GMT

your command should be in this fashion. looking into your icmp code

ICMP: Type = 3 (Destination unreachable)

access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply

Re: ASA5515 - deny ICMP dst outside

MHM Cisco World — Sat, 13 Feb 2021 14:52:04 GMT

I think he use 8.8.8.8 as destination for IP SLA imp echo

Re: ASA5515 - deny ICMP dst outside

MHM Cisco World — Sat, 13 Feb 2021 15:13:26 GMT

So If you use IP SLA then
and you config the ACL then will permit only echo request
but what about the port unreachable and other icmp message, it by default drop.
you need to permit it.

NOTE:-
if you generate the traffic from inside "which I sure" then you don't need any ACL in outside interface
only need icmp inspection.

Re: ASA5515 - deny ICMP dst outside

Sheraz.Salim — Sat, 13 Feb 2021 15:33:46 GMT

if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.

show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0

Re: ASA5515 - deny ICMP dst outside

NetAdmin2 — Tue, 16 Feb 2021 01:01:10 GMT

Hi MHM Cisco World,

The network path: Router -> Switch -> Firewall ASA -> Switch -> F5 -> host container (NTCP-172.23.123.67/[68])

Router:

The NAT is static, and is done on the router, using route-map + ACL

ip nat inside source static NTCP-172.23.123.67 134.23.123.67 route-map permit-134.23.123.67 extendable no-alias route-map permit-134.23.123.67 permit 10 match ip address LIST-permit-134.23.123.67 match interface FastEthernet0/1/0 ! ip access-list extended LIST-permit-134.23.123.67 permit ip host 172.23.123.67 host 8.8.8.8 permit ip host 172.23.123.68 host 8.8.4.4

ASA:

the ACL for Z245_access_in:

object-group service DM_INLINE_SERVICE_237 service-object object TCP-53 service-object object UDP-53 object-group network DM_INLINE_NETWORK_131 network-object object NTCP-172.23.123.67 network-object object NTCP-172.23.123.68 object-group network DM_INLINE_NETWORK_132 network-object object Google-DNS-8.8.4.4 network-object object Google-DNS-8.8.8.8 access-list Z245_access_in extended permit object-group DM_INLINE_SERVICE_237 object-group DM_INLINE_NETWORK_131 object-group DM_INLINE_NETWORK_132 access-list Z245_access_in extended deny tcp any any eq smtp log disable inactive access-list Z245_access_in extended deny ip any any

the ACL for OUTSIDE_access_out:

object-group service DM_INLINE_SERVICE_238 service-object object TCP-53 service-object object UDP-53 object-group network DM_INLINE_NETWORK_133 network-object object NTCP-172.23.123.67 network-object object NTCP-172.23.123.68 object-group network DM_INLINE_NETWORK_134 network-object object Google-DNS-8.8.4.4 network-object object Google-DNS-8.8.8.8 access-list OUTSIDE_access_out extended permit object-group DM_INLINE_SERVICE_238 object-group DM_INLINE_NETWORK_133 object-group DM_INLINE_NETWORK_134

Re: ASA5515 - deny ICMP dst outside

MHM Cisco World — Tue, 16 Feb 2021 01:40:36 GMT

Where is ip sla config?