topic Re: ICMP TRU ASAv in Network Security

ICMP TRU ASAv

stephn.zii — Sun, 10 Apr 2022 11:54:21 GMT

Hello all,

I configured my ASAv to allow icmp through but for some reason traffic is not going through, below are configs on device:

R2#

!
interface Ethernet0/0
description OUTSIDE
ip address 192.1.20.2 255.255.255.0
!

ciscoasa#
!

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.1.20.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.11.11.10 255.255.255.0
!

policy-map global_policy
class inspection_default
inspect icmp

access-list OUTSIDE line 1 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0x1a292449
access-list OUTSIDE line 2 extended permit icmp any4 any4 time-exceeded (hitcnt=0) 0xd763b729
access-list OUTSIDE line 3 extended permit icmp any4 any4 timestamp-reply (hitcnt=0) 0x9fbe9b61
access-list OUTSIDE line 4 extended permit icmp any4 any4 unreachable (hitcnt=0) 0xed842821
!

R1#

!
interface Ethernet0/0
description INSIDE
ip address 10.11.11.1 255.255.255.0
!

Any help will be appreciated.

Thanks.

Re: ICMP TRU ASAv

Rob Ingram — Sun, 10 Apr 2022 14:27:35 GMT

@stephn.zii by enabling ICMP inspection should allow traffic from inside to outside to work....if you have routing and potentially nat configured correctly.

Are you testing from inside (R1) to outside?

Is routing configured on the ASA and both routers?

If you are pinging from outside to inside you would need to create another ACE entry permitting "echo" on the ACL and also create an access-group (if it isn't already) and specifiy the direction and the interface.

access-list OUTSIDE extended permit icmp any4 any4 echo
access-group OUTSIDE in interface outside

If that doesn't work run packet-tracer from the CLI and provide the output for review.

Re: ICMP TRU ASAv

balaji.bandi — Sun, 10 Apr 2022 12:12:03 GMT

what is the source and destination? what do you see in the log s?

any4 any4

not sure - this should be any any right?

access-group OUTSIDE in interface Outside

Re: ICMP TRU ASAv

stephn.zii — Tue, 12 Apr 2022 15:29:53 GMT

Hello Ingram,

Yes I am testing from R1 to R2 and I have attach my topology to this reply. Yes routing is configured on the ASA, I am running BGP with R2 and OSPF with R1 and redistributed BGP into OSPF but have a default route on the ASA going to R2. I recreated the access list, see below:

access-list TRU-TRAFIK permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 23
access-list TRU-TRAFIK permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 22
access-list TRU-TRAFIK permit icmp host 192.1.20.2 10.11.11.0 255.255.255.0 eq echo
!
access-group TRU-TRAFIK in interface Outside
!

but I also found something weird, the ospf neighbors are not forming and I cannot ping to the ASA interface ip from either routers so I think there is an issue with my ASA image. I will check that and let you know the outcome.

Re: ICMP TRU ASAv

stephn.zii — Tue, 12 Apr 2022 15:31:00 GMT

Hello Bandi,

I think my ASA image has an issue so I am working on it and when am done I will let you know the outcome.

Re: ICMP TRU ASAv

stephn.zii — Tue, 12 Apr 2022 17:37:33 GMT

Thank you for your response I think it was my asa that was not working well. I deleted it and recreated it with new setup and everything started working.

Re: ICMP TRU ASAv

stephn.zii — Tue, 12 Apr 2022 17:37:58 GMT

Thank you for your response I think it was my asa that was not working well. I deleted it and recreated it with new setup and everything started working.

Re: ICMP TRU ASAv

balaji.bandi — Tue, 12 Apr 2022 21:09:56 GMT

Glad to know it was resolved and appreciated your feedback, it is very useful for the community member, who have the same issue and can resolve it quickly with the solution.