topic ASA 5525 ICMP Bypass not working in Network Security

ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Fri, 21 Feb 2020 16:34:56 GMT

Hello everyone. I have a problem that has to be solved immediately. I took photo from cisco webpage that is identical to my design on particular interface. just the ip addresses are different but i will ask using ip addresses in the photo.

So requirement is this way:

192.168.1.10 <---> 192.168.2.10 ICMP

192.168.1.10 <---> 192.168.2.10 80

192.168.1.10 <---> 192.168.2.10 443

But as you already understood initial traffic goes from router into server directly and answer comes through ASA and it creates problem. I permitted all possible reply traffic for all 3 protocol. And bypassed each of them through service policy. HTTP and HTTPS worked properly but 192.168.1.10 cannot ping 192.168.2.10. I tried different access-lists but no result. Finally i even permitted traffic from 192.168.2.10 into 192.168.1.10 with IP services and bypassed all IP services but ping still not working.

In my case 192.168.2.10 is 10.124.49.5 and 192.168.1.10 is 10.124.41.104. As you see from ss that even acl hits are recorded. But ping is not working.

What can be a problem?

Re: ASA 5525 ICMP Bypass not working

Kasun Bandara — Mon, 17 Dec 2018 14:11:44 GMT

Hi Orkhan,

enable ICMP inspection in service policy.

ref - https://www.petenetlive.com/KB/Article/0000351

*** Pls rate all useful responses ***
Good Luck

Re: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Mon, 17 Dec 2018 14:21:13 GMT

Already enabled

Re: ASA 5525 ICMP Bypass not working

Kasun Bandara — Mon, 17 Dec 2018 14:25:45 GMT

1 - try enabling ICMP protocol in ACLs
2 - allow intra and inter same security level traffic

Re: ASA 5525 ICMP Bypass not working

Rob Ingram — Mon, 17 Dec 2018 15:49:43 GMT

As @Kasun Bandara suggested enter the command - same-security-traffic permit intra-interface this is because you are routing to/from the same inside interface.

Re: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Mon, 17 Dec 2018 16:08:13 GMT

That is also done

Re: ASA 5525 ICMP Bypass not working

Kasun Bandara — Mon, 17 Dec 2018 16:24:33 GMT

what is the OS you are using on http server? try turn off the Host firewall. may be its blocking the ping reply.

Re: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Mon, 17 Dec 2018 16:58:13 GMT

As it seems from photos i enabled acl and inter and intra

Re: ASA 5525 ICMP Bypass not working

Kasun Bandara — Tue, 18 Dec 2018 03:27:02 GMT

Hi,

you can enable them as below capture. you can tick them and apply. also disable Host firewall in server.

Re: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Tue, 18 Dec 2018 05:10:59 GMT

I do not think that problem with OS of the server. Host Firewalls are disabled. When i disable ICMP inspection from global policy ping works. I mean my problem is that when inspection is enabled bypass settings not working for icmp traffic but works for tcp. All inter,intra, acl confs are done beforehand

Re: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 — Tue, 18 Dec 2018 05:41:35 GMT

Soo, I can solve the problem by disabling inspection from global policy. Creating new class unders global policy map which no matching interesting traffic and matching any any and inspect. This way i eleminated by reply traffic from inspection and all other stuff still inspected