topic Can you post a picture of in Network Security

Cisco ASA 5505 Denied ICMP type=0, no matching session

Johan Kardell — Tue, 12 Mar 2019 05:20:55 GMT

I setup routing in my ASA to a lab environment (static routing from the ASA), I can from my Lab ping my cisco ASA, and from my Cisco ASA ping the Lab, I can't ping from the lab to, for example my cisco switch connected behind the ASA (or anything else on my LAN), when I do this I get the following message in the ASA (172.16.30.2 is my Switch):

Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session

I don't know why I get this message, if it's because the ASA complains about some kind of asymmetric routing or some rule in the ASA that's blocking this, the thing is that in this case that's not really important :), just curious if you can permit this in some way?

The lab consists of Cisco routers.

Anyone know who to permit this in the ASA? Would be really helpful!!!! 🙂

(Image on ASA is:asa922-4-k8.bin)

Thanks for reading this!

Can you post a picture of

Collin Clark — Thu, 15 Jan 2015 15:08:03 GMT

Can you post a picture of your topology?

Sure!The Lab is on a computer

Johan Kardell — Thu, 15 Jan 2015 15:27:40 GMT

Sure!

The Lab is on a computer running GNS3, this might be what the ASA don't like...?

A bit more explanation:

I have connected my GNS3 environment to my real network.

I have setup BGP and OSPF in GNS3 and static routes in my Cisco ASA to the GNS3 network

(in the ASA 172.16.1.0/24 and 192.168.1.0/24 to the interface on VMA-01R facing my real network, that's

route inside 172.16.1.0 255.255.255.0 172.16.30.13

route inside 192.168.1.0 255.255.255.0 172.16.30.13).

in RNK-02R I have a default route (that's coming via BGP from VMA-01R) to VMA-01R and in VMA-01R I have the connection to my real environment.

From the ASA I can successfully ping my GNS3 routers, and from GNS3 I can ping the Cisco ASA firewall, but when I try to ping anything else on my internal network the ASA complains with the following message:

Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session

(172.16.30.2 is in this case the CiscoSwitch, the CiscoSwitch and the Cisco ASA is on my real network).

As a test can you put a

Collin Clark — Thu, 15 Jan 2015 18:41:45 GMT

As a test can you put a static route in your switch?

ip route 172.16.1.10 255.255.255.255 172.16.30.13

Now try and ping 172.16.1.10

Thanks, but I can't :/, it's

Johan Kardell — Thu, 15 Jan 2015 19:04:37 GMT

Thanks, but I can't :/, it's a Cisco 2940.
Thinking about trying to replace the Cisco ASA with a Cisco Router, temporary, and see if this work, I can't do this until Saturday though (don't have the eq. right now), but I would prefer if it was possible to get the ASA to somehow permit this since the ASA is my "real" connection to the internet.

(Sorry, I accidentally clicked correct answer)

Ah ok. ICMP on the ASA can be

Collin Clark — Thu, 15 Jan 2015 19:10:15 GMT

Ah ok. ICMP on the ASA can be a PIA especially when traversing interfaces. A couple of other things to check. First do you have "same-security-traffic permit intra-interface" configured? In the logs on the ASA are you getting an error pertaining to IP Redirects or tcp state failure (you will have to try "telnet 172.16.1.10")

Ok, :), I enabled "same

Johan Kardell — Fri, 16 Jan 2015 11:53:41 GMT

Ok, :), I enabled "same-security-traffic.." on the ASA, no I can from my client ping the env. on the Lab, but can't do for ex. telnet.

I tried to telnet a loopback on the lab "192.168.1.6" from my client on the real Lan.

From the lab i still can't ping anything on 172.16.30.0/24 network, please see attachment from ASA log - thanks for all your help Collin!

Any ideas :/?

Okej! I got i to work :)!!!I

Johan Kardell — Sat, 17 Jan 2015 13:39:20 GMT

Okej! I got i to work :)!!!

I enabled "same-security-traffic permit intra-interface" and followed this guide, this guide did the trick with the telnet as well!

"http://www.matthewjwhite.co.uk/2012/02/13/asymmetric-routing-with-cisco-asa-firewalls/"

Thanks for all the help! - This might not be the optimal solution, but in my case this is what I needed.