https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425195#M268939 <HTML><HEAD></HEAD><BODY><P>Hi Keith,</P><P></P><P>is another type of traffic permitted between same devices? If not please enable following:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><STRONG>same-security-traffic permit intra-interface</STRONG></PRE><P></P><P>It permits communication between peers connected to the same interface.</P><P></P><P>Kind regards,</P><P>Veronika</P></BODY></HTML> Thu, 27 Feb 2014 21:14:56 GMT Veronika Klauzova 2014-02-27T21:14:56Z https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425194#M268938 <P>I can't figure out how to overcome the implicit deny for icmp on the inside interface of an ASA firewall.</P><P>I am pinging from one internal host to another, both on the inside interface.</P><P>I've added explicit rules but it doesn't seem to matter.</P><P></P><P>Please help</P><P></P><P></P><P>asa(config)# packet-tracer input inside icmp 192.168.1.200 8 0 192.168.22.1 de$</P><P></P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in&nbsp;&nbsp; 192.168.22.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (inside,inside) source static any any destination static Net_192.168.0.0_16 Net_192.168.0.0_16 no-proxy-arp route-lookup<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate 192.168.22.1/0 to 192.168.22.1/0</P><P></P><P>Phase: 3<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in&nbsp;&nbsp; 192.168.1.0&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Phase: 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Type: ACCESS-LIST<BR />Subtype:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Result: DROP&nbsp; <BR />Config:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Implicit Rule <BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in&nbsp; id=0xcb1aaa70, priority=111, domain=permit, deny=true<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hits=3637, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; input_ifc=inside, output_ifc=inside<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />Result:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop&nbsp; <BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Tue, 12 Mar 2019 03:51:26 GMT https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425194#M268938 Keith Hearn-core 2019-03-12T03:51:26Z https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425195#M268939 <HTML><HEAD></HEAD><BODY><P>Hi Keith,</P><P></P><P>is another type of traffic permitted between same devices? If not please enable following:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><STRONG>same-security-traffic permit intra-interface</STRONG></PRE><P></P><P>It permits communication between peers connected to the same interface.</P><P></P><P>Kind regards,</P><P>Veronika</P></BODY></HTML> Thu, 27 Feb 2014 21:14:56 GMT https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425195#M268939 Veronika Klauzova 2014-02-27T21:14:56Z https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425196#M268940 <HTML><HEAD></HEAD><BODY><P> Thanks that worked perfectly.</P></BODY></HTML> Fri, 28 Feb 2014 00:16:43 GMT https://community.cisco.com/t5/network-security/implicit-deny-for-icmp-on-inside-interface/m-p/2425196#M268940 Keith Hearn-core 2014-02-28T00:16:43Z