https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632466#M558861 <HTML><HEAD></HEAD><BODY><P>Hi, I have just turned on debug on the router that is connected to the outside interface and it is sending echo reply to the ASA.</P><P></P><P>ICMP: echo reply sent, src 203.14.x.x, dst 203.14.x.x, topology BASE, dscp 0 topoid 1</P><P></P><P>The destination ip is the tranlslated (gaddr).</P><P></P><P>Thanks</P></BODY></HTML> Thu, 31 Mar 2011 04:42:57 GMT hadisharifi 2011-03-31T04:42:57Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632464#M558859 <P>Hi, I have configured the ASA to inspect ICMP but when trying to ping from DMZ to outside I don't get any echo replies.</P><P></P><P>Here is the config.</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp;&nbsp; inspect icmp</P><P></P><P>nat (DMZ,outside) source dynamic DMZ-Subnet DMZ-NAT-POOL</P><P>access-list DMZ_access_in extended permit ip 10.0.22.0 255.255.255.0 any</P><P></P><P>The debug icmp trace on the ASA shows:</P><P></P><P>ICMP echo request from DMZ:10.0.22.51 to outside:124.x.x.x ID=512 seq=29440 len=32</P><P>ICMP echo request translating DMZ:10.0.22.51 to outside:203.14.x.x</P><P></P><P>And in the log from ASDM it shows:</P><P></P><P>Built outbound ICMP connection for faddr 124.x.x.x/0 gaddr 203.14.x.x/512 laddr 10.0.22.51/512</P><P>Teardown ICMP connection&nbsp; for faddr 124.x.x.x/0 gaddr 203.14.x.x/512 laddr 10.0.22.51/512</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 20:14:57 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632464#M558859 hadisharifi 2019-03-11T20:14:57Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632465#M558860 <HTML><HEAD></HEAD><BODY><P>Is the outside host actually replying to the ECHO Request packet?</P><P></P><P>You might want to run packet capture on both inside and outside interfaces to see if ECHO Request is getting sent out, and ECHO Reply is coming in from the outside host.</P></BODY></HTML> Thu, 31 Mar 2011 03:28:14 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632465#M558860 Jennifer Halim 2011-03-31T03:28:14Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632466#M558861 <HTML><HEAD></HEAD><BODY><P>Hi, I have just turned on debug on the router that is connected to the outside interface and it is sending echo reply to the ASA.</P><P></P><P>ICMP: echo reply sent, src 203.14.x.x, dst 203.14.x.x, topology BASE, dscp 0 topoid 1</P><P></P><P>The destination ip is the tranlslated (gaddr).</P><P></P><P>Thanks</P></BODY></HTML> Thu, 31 Mar 2011 04:42:57 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632466#M558861 hadisharifi 2011-03-31T04:42:57Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632467#M558862 <HTML><HEAD></HEAD><BODY><P>OK, so the router is sending the reply, does the ASA receive the ECHO Reply?</P><P>Have you perform packet capture on both inside and outside interface to check where it's failing?</P></BODY></HTML> Thu, 31 Mar 2011 06:32:33 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/1632467#M558862 Jennifer Halim 2011-03-31T06:32:33Z