https://community.cisco.com/t5/network-security/firewall-configuration-assistance/m-p/1410835#M727963 <HTML><HEAD></HEAD><BODY><P>That appears to be ICMP time exceeded message.</P><P>May be someone from the inside was trying to do a traceroute to an ip address on the outside and the icmp time exceeded message arriving on the outside interface is being denied.&nbsp; I am not sure if you have icmp and icmp error inspection enabled. In addition to that you need to allow icmp time exceeded and icmp unreachable on the outside interface.</P><P></P><P><SPAN>To uderstand how traceroute works follow this link: </SPAN><A class="jive-link-external-small" href="http://www.freesoft.org/CIE/Topics/54.htm">http://www.freesoft.org/CIE/Topics/54.htm</A></P><P></P><P>-KS</P></BODY></HTML> Sun, 28 Mar 2010 22:52:49 GMT Kureli Sankar 2010-03-28T22:52:49Z https://community.cisco.com/t5/network-security/firewall-configuration-assistance/m-p/1410834#M727946 <P>I am seeing this message on my syslog server that I have NO explaination for.&nbsp; <BR />Perhap someone can point me to the right direction.</P><P></P><P>hostA---(i)ASAVPN(o)---ASAFW---Internet---VPNc--hostB</P><P></P><P>I have a site-to-site VPN between hostA and hostB between the ASA and the VPNc.<BR />hostA is 192.168.1.1, ASAVPN inside interface is 192.168.1.254. ASAVPN outside interface<BR />is 10.1.1.1 and the ASAFW internal interface is 10.1.1.254.&nbsp; here is the configuration on <BR />the ASAFW, VPNc external ip address is 65.198.18.190:</P><P></P><P>static (i,o) 4.2.2.2 10.1.1.1 netmask 255.255.255.255<BR />access-list FW-out permit icmp VPNc 4.2.2.2 log<BR />access-list FW-out permit udp VPNc 4.2.2.2 eq 500 log<BR />access-list FW-out permit udp VPNc 4.2.2.2 eq 4500 log<BR />access-list FW-out permit esp VPNc 4.2.2.2 log<BR />access-list FW-out deny ip any any log<BR />access-group FW-out in interface outside</P><P></P><P>on the ASAVPN, this is what I have (relevant configuration):</P><P></P><P>no nat-control<BR />icmp permit host 10.1.1.254 outside<BR />access-list vpn permit host 192.168.1.1 host 192.168.2.1<BR />isakmp identity address<BR />isakmp nat-traversal 10<BR />crypto isakmp enable<BR />crypto map vpn 10 ipsec-isakmp<BR />crypto map vpn 10 set peer VPNc<BR />crypto map vpn 10 set trans 3des<BR />crypto map vpn 10 set pfs group2<BR />crypto map vpn 10 match address vpn<BR />crypto map vpn interface outside</P><P></P><P>VPNc public interface:&nbsp; 165.10.18.59<BR />VPNc Private interface: 192.168.2.254<BR />hostB:&nbsp; 192.168.2.1</P><P></P><P>ASA is running version 8.2.1</P><P></P><P>The site-2-site VPN between the VPNc and the ASAVPN is working fine.&nbsp; However, I am getting this syslog<BR />message from the ASAVPN on my syslog server:</P><P></P><P>ASAVPN Mar 25 2010 02:09:39: %ASA-3-313001: Denied<BR />ICMP type=11, code=0 from 152.63.38.173 on interface outside</P><P></P><P>How does this IP 152.63.38.173 even make it to the ASAVPN device? </P> Mon, 11 Mar 2019 17:26:43 GMT https://community.cisco.com/t5/network-security/firewall-configuration-assistance/m-p/1410834#M727946 cciesec2011 2019-03-11T17:26:43Z https://community.cisco.com/t5/network-security/firewall-configuration-assistance/m-p/1410835#M727963 <HTML><HEAD></HEAD><BODY><P>That appears to be ICMP time exceeded message.</P><P>May be someone from the inside was trying to do a traceroute to an ip address on the outside and the icmp time exceeded message arriving on the outside interface is being denied.&nbsp; I am not sure if you have icmp and icmp error inspection enabled. In addition to that you need to allow icmp time exceeded and icmp unreachable on the outside interface.</P><P></P><P><SPAN>To uderstand how traceroute works follow this link: </SPAN><A class="jive-link-external-small" href="http://www.freesoft.org/CIE/Topics/54.htm">http://www.freesoft.org/CIE/Topics/54.htm</A></P><P></P><P>-KS</P></BODY></HTML> Sun, 28 Mar 2010 22:52:49 GMT https://community.cisco.com/t5/network-security/firewall-configuration-assistance/m-p/1410835#M727963 Kureli Sankar 2010-03-28T22:52:49Z