https://community.cisco.com/t5/network-security/fw-log-clarifications/m-p/1517497#M588955 <P>Hi all Expert,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Can someone help me to understand the log output of my ASA.&nbsp; First let me try to explain the dilemma. I am trying to reach the ASA interface in another DMZ. Let's say that I am in the inside interface and try to reach DMZ100(ping from inside 10.10.10.10 to DMZ100 AT 10.100.1.1). There is what the ASA shows and what I am trying to understand:</P><P></P><P>1. I have icmp enable in the default inspection rule</P><P></P><P>6 Nov 25 2010 10:20:56 302021 10.10.10.10 1 10.100.1.1 0 Teardown ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0</P><P>And below is the explanation given by the ASA when I hover my mouse over the output</P><P><STRONG style="text-decoration: underline; "> ICMP connection is removed in the fast path when statefull ICMP packet is enabled using ICMP INSPECT COMMAND</STRONG></P><P><STRONG style="text-decoration: underline; ">ICMP is enable under inspect rule</STRONG></P><P></P><P>2. icmp is disable in the inspection rule</P><P>policy-map global_policy<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; class inspection_default<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no inspect icmp</P><P>6 Nov 25 2010 10:27:12 302020 10.10.10.10 1 10.100.1.1 0 Built inbound ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0</P><P><BR /><STRONG style="text-decoration: underline; ">ICMP session is established in the fast-path when statefull ICMP packet is enabled using ICMP inspection command</STRONG></P><P></P><P>Looking for an explanation for the statements in bold and underlign and both cases the host from inside keep sending request timed out. Ideas and comments to resolved the request time out to reply will be greatly appreciate.</P><P></P><P>Thanks a lot,</P><P></P><P>Jean Paul</P><P><SPAN style="text-decoration: underline;"><BR /></SPAN></P> Mon, 11 Mar 2019 19:14:39 GMT Jean Paul Enerst 2019-03-11T19:14:39Z https://community.cisco.com/t5/network-security/fw-log-clarifications/m-p/1517497#M588955 <P>Hi all Expert,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Can someone help me to understand the log output of my ASA.&nbsp; First let me try to explain the dilemma. I am trying to reach the ASA interface in another DMZ. Let's say that I am in the inside interface and try to reach DMZ100(ping from inside 10.10.10.10 to DMZ100 AT 10.100.1.1). There is what the ASA shows and what I am trying to understand:</P><P></P><P>1. I have icmp enable in the default inspection rule</P><P></P><P>6 Nov 25 2010 10:20:56 302021 10.10.10.10 1 10.100.1.1 0 Teardown ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0</P><P>And below is the explanation given by the ASA when I hover my mouse over the output</P><P><STRONG style="text-decoration: underline; "> ICMP connection is removed in the fast path when statefull ICMP packet is enabled using ICMP INSPECT COMMAND</STRONG></P><P><STRONG style="text-decoration: underline; ">ICMP is enable under inspect rule</STRONG></P><P></P><P>2. icmp is disable in the inspection rule</P><P>policy-map global_policy<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; class inspection_default<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no inspect icmp</P><P>6 Nov 25 2010 10:27:12 302020 10.10.10.10 1 10.100.1.1 0 Built inbound ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0</P><P><BR /><STRONG style="text-decoration: underline; ">ICMP session is established in the fast-path when statefull ICMP packet is enabled using ICMP inspection command</STRONG></P><P></P><P>Looking for an explanation for the statements in bold and underlign and both cases the host from inside keep sending request timed out. Ideas and comments to resolved the request time out to reply will be greatly appreciate.</P><P></P><P>Thanks a lot,</P><P></P><P>Jean Paul</P><P><SPAN style="text-decoration: underline;"><BR /></SPAN></P> Mon, 11 Mar 2019 19:14:39 GMT https://community.cisco.com/t5/network-security/fw-log-clarifications/m-p/1517497#M588955 Jean Paul Enerst 2019-03-11T19:14:39Z https://community.cisco.com/t5/network-security/fw-log-clarifications/m-p/1517498#M588956 <HTML><HEAD></HEAD><BODY><P>ASA does not support that. You can't ping the cross interface (ie: if you are connected to the inside interface of the ASA, you can't ping the DMZ interface of the ASA). This is not supported by design.</P><P>If you are connected to the ASA inside interface, you can only ping the ASA inside interface, and to ping the DMZ interface, you would need to be connected from the DMZ interface of the ASA.</P><P></P><P>The ICMP inspection is for ICMP traffic through the ASA, ie: a host from inside network tried to ping a host at dmz network.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 25 Nov 2010 22:32:48 GMT https://community.cisco.com/t5/network-security/fw-log-clarifications/m-p/1517498#M588956 Jennifer Halim 2010-11-25T22:32:48Z