topic Hi Vishnu, For ICMP traffic, in Network Security

Cannot access site

Vishnu Reddy — Tue, 12 Mar 2019 05:45:37 GMT

Hello Guys,

I am trying to access a site from Company

This is what the access-list on my ASA pertaining to that site I am trying to access.

access-list Inside_access_in extended permit ip any host xxx.xxx.132.23

access-group Inside_access_in in interface Inside

access-list Outside_access_in extended permit ip host xxx.xxx.132.23 any

access-group Outside_access_in in interface Outside

4 packets captured

1: 15:24:58.971217 10.1.77.166 > xxx.xxx.132.23: icmp: echo request

2: 15:24:59.973689 10.1.77.166 > xxx.xxx.132.23: icmp: echo request

3: 15:25:00.975672 10.1.77.166 > xxx.xxx.132.23: icmp: echo request

4: 15:25:01.977610 10.1.77.166 > xxx.xxx.132.23: icmp: echo request

4 packets shown

NOR-3150-ASA01(config)# show capture CAP1

4 packets captured

1: 15:24:59.025786 xxx.xxx.132.23 > x.xx.106.10: icmp: echo reply

2: 15:25:00.025709 xxx.xxx.132.23 > x.xx.106.10: icmp: echo reply

3: 15:25:01.030836 xxx.xxx.132.23 > x.xx.106.10: icmp: echo reply

4: 15:25:02.054486 xxx.xxx.132.23 > x.xx.106.10: icmp: echo reply

4 packets shown

I can ping internally but i can get to the site

I have done the packet capture also which shows that SYN is sent by no SYN ACK and ACKs received with only retransmissions.

I am using IP in the access-list so that rules out the port issues.

Also i noticed one this is that I can't telnet to the port they have provided: 3080

Any help highly appreciated.

Hi Vishnu, For ICMP traffic,

Harvey Ortiz — Sat, 11 Apr 2015 03:24:34 GMT

Hi Vishnu,

For ICMP traffic, it is required to enable icmp inspection since the ASA doesn´t do this by default and it is going to block the echo replies.

See more details about icmp inspection:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986

You can enable it on this way:

******

config t

fixup protocol icmp

******

I guess that ´CAP1´ is the one applied to the outside interface, but I just see the echo replies coming but not the echo requests going out on the CAP1 capture.

Make sure there is not an asymetic routing issue, if echo requests are going out through the outside interface then echo replies should come back through the same outside interface.

Hope it helps.

Regards,

Harvey.

Please rate if this is correct answer.

I am assuming that the server

Andre Neethling — Sun, 12 Apr 2015 15:15:36 GMT

I am assuming that the server xxx.xxx.132.23 is a server on the internet that you are trying to access. Can you please post your full Asa config to review?

I can give you remote access

Vishnu Reddy — Tue, 14 Apr 2015 19:29:46 GMT

I can give you remote access to this device look into what is the issue as I can't post the config as it has 1000 lines of config and lots of work needs to be done.

Personally don't want remote

Jon Marshall — Tue, 14 Apr 2015 19:46:25 GMT

Personally don't want remote access and you probably don't want us to do that ie,. what if we stopped the firewall working.

It's not clear, can you ping this site from the inside or not ?

If you can but not access it on the application port or telnet to the application port then it sounds like a server issue.

If you can't ping it then it sounds like a configuration issue.

Which is it ?

Jon