topic Re: Issue with ASA5525 allowing ping through in Network Security

Issue with ASA5525 allowing ping through

adbland — Tue, 20 Aug 2019 20:29:00 GMT

After reading though and implementing many of other configuration suggestions from community page posts related to the same issue as well as from config guides and other related pages, I am still having an issue with pinging from my Catalyst 9200 switch through a ASA5525 to next hop IP address when I am able to ping it from the ASA it is directly connected to and can ping from from both directions of the connection between the switch and ASA but just cannot from the switch through ASA to the next hop IP nor from the switch to the ASA outbound interface connected to that next hop IP.

The following ASA output is from the switch ip, of one subnet, connected to the ASA inbound interface checking the path to the .97 next hop IP, of another subnet, which lists it to be due to an implicit deny rule,

ASA# packet-tracer input inside icmp x.x.251.1 8 0 x.x.249.97 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.249.97 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7b08bb0, priority=501, domain=permit, deny=true
hits=5, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=64.102.251.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA#

with the following ASA config edited down to what was believed to be the appropriate ASA configs to allow ICMP through,

: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA Version 9.8(2)
!
...
!
interface GigabitEthernet0/0
description to WAN
nameif outside
security-level 0
ip address x.x.249.98 255.255.255.252
!
interface GigabitEthernet0/1
description to LAN
nameif inside
security-level 100
ip address x.x.251.1 255.255.255.224
!
...
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
object-group icmp-type ping
description Ping Group
icmp-object echo
icmp-object echo-reply
access-list acl-in-out extended permit icmp any any echo
access-list acl-in-out extended permit icmp any any time-exceeded
access-list OUT-IN extended permit icmp any any
...
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group acl-in-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.249.97 1
...
!
policy-map type inspect dns preset_dns_map
...
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_2
...
: end
ASA#

with the full ASA configuration attached along with an edited down version of my switch config if possibly needed for any reason.

Note: Hostname and IPs altered for this post to start with x.x to leave the ending subnet identifiers for each and interfaces summarized down with "..." dividers for each config.

Any feedback would be appreciated.

Re: Issue with ASA5525 allowing ping through

Rob Ingram — Tue, 20 Aug 2019 20:17:12 GMT

Hi,
You don't appear to have NAT configured on the ASA, I cannot determine from the masked IP addresses if they are public IP addresses and are routable - I assume not?

You have "inspect icmp" so icmp replies should be permitted.

HTH

Re: Issue with ASA5525 allowing ping through

adbland — Tue, 20 Aug 2019 22:26:11 GMT

Actually, they are public and routable and not within the following private address ranges,

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

with one being a /30 used to connect from a lab network ASA through to another network and the other /27 used for device addresses to communicate through the ASA into that another network with just the .97 address leading to that another network needing to be pingable from the switch through the ASA.

Without adding NAT yet having not seen your post yet, I did change my switch route to ip route 0.0.0.0 0.0.0.0 x.x.251.1 when it was incorrect and changed "access-group acl-in-out in interface outside" to "access-group acl-in-out in interface inside" on the ASA and receiving "Allow" for all phases of a "packet-tracer input inside icmp x.x.251.2 8 0 x.x.249.97 detailed" command, from the switch .2 ip to the next hop .97 ip on the other side of the ASA, on the ASA afterward but still not getting a successful ping to .97 from the switch.

Latest packet-tracer output attached.

Re: Issue with ASA5525 allowing ping through

Afolarin Omole — Thu, 22 Aug 2019 19:55:05 GMT

@adbland

What traffic are you trying to pass via ASA to the next hop ? have you check the logs on ASA ? the packet tracer shows you are been deny by implicit rule , which means there is a rule blocking the return packet from the other side back to the switch . There are two ICMP inspection on ASA , one that's inspected via default inspection policy which is only for connectivity and the other explicitly define Globally , which in your case is inspected.

i suggest you check ASA logs , tcp dump on the interested interface to know why this has been dropped, but all comes down to you allowing this traffic via a rule .

In advance way you can modify the ASA inspection engine with the MQC syntax but you need to understand how this works before using it.

Re: Issue with ASA5525 allowing ping through

adbland — Wed, 04 Sep 2019 16:19:53 GMT

“ALLOW” results for each phase of a,

"packet-tracer input inside icmp <inside interface IP> 8 0 <next hop GW IP> detailed"

as well as show capture detail output from,

capture capin interface inside match ip host <inside interface IP> host <next hop GW IP>

capture capout interface outside match ip host <inside interface IP> host <next hop GW IP>

show that the ping was allowed out but no route on the other side to allow it back in for the ping to succeed on the next hop gateway IP DMZ network that others manage and have been informed to correct.

all feedback for this post has been appreciated. Thanks.

Re: Issue with ASA5525 allowing ping through

bhargavdesai — Thu, 05 Sep 2019 07:03:16 GMT

I would say that according to your latest Packet Tracer output, ASA is not blocking your ICMP packets. It is allowing the traffic to go by.

You need to keep in mind that You will never going to get response from ASA's Interface IP from a host on different Interface. For example, a host connected to INSIDE trying to ping the IP address configured on the ASA's OUTSIDE interface will never get response. Which is by design. As per my knowledge.

Now to your query You have to look into two devices connected on the each interface of the ASA. Look at the routing table for both the devices you are trying to communicate and also check for the firewall/ACL on either device which might be blocking the traffic.

Bhaggu