cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


460
Views
0
Helpful
10
Replies
Highlighted

ASA 5525 ICMP Bypass not working

Hello everyone. I have a problem that has to be solved immediately. I took photo from cisco webpage that is identical to my design on particular interface. just the ip addresses are different but i will ask using ip addresses in the photo.

So requirement is this way:

192.168.1.10 <---> 192.168.2.10 ICMP

192.168.1.10 <---> 192.168.2.10 80

192.168.1.10 <---> 192.168.2.10 443

But as you already understood initial traffic goes from router into server directly and answer comes through ASA and it creates problem. I permitted all possible reply traffic for all 3 protocol. And bypassed each of them through service policy. HTTP and HTTPS worked properly but 192.168.1.10 cannot ping 192.168.2.10. I tried different access-lists but no result. Finally i even permitted traffic from 192.168.2.10 into 192.168.1.10 with IP services and bypassed all IP services but ping still not working.

In my case 192.168.2.10 is 10.124.49.5 and 192.168.1.10 is 10.124.41.104. As you see from ss that even acl hits are recorded. But ping is not working.

What can be a problem?

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5525 ICMP Bypass not working

Soo, I can solve the problem by disabling inspection from global policy. Creating new class unders global policy map which no matching interesting traffic and matching any any and inspect. This way i eleminated by reply traffic from inspection and all other stuff still inspected

10 REPLIES 10
Enthusiast

Re: ASA 5525 ICMP Bypass not working

Hi Orkhan,

enable ICMP inspection in service policy.

ASDM ping

ref - https://www.petenetlive.com/KB/Article/0000351

*** Pls rate all useful responses ***
Good Luck

Re: ASA 5525 ICMP Bypass not working

Already enabled
Enthusiast

Re: ASA 5525 ICMP Bypass not working

1 - try enabling ICMP protocol in ACLs
2 - allow intra and inter same security level traffic
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: ASA 5525 ICMP Bypass not working

As @Kasun Bandara suggested enter the command - same-security-traffic permit intra-interface this is because you are routing to/from the same inside interface.

Re: ASA 5525 ICMP Bypass not working

That is also done
Enthusiast

Re: ASA 5525 ICMP Bypass not working

what is the OS you are using on http server? try turn off the Host firewall. may be its blocking the ping reply.

Re: ASA 5525 ICMP Bypass not working

As it seems from photos i enabled acl and inter and intra
Enthusiast

Re: ASA 5525 ICMP Bypass not working

Hi,

you can enable them as below capture. you can tick them and apply. also disable Host firewall in server.

Image result for enable same security traffic asa asdm

Re: ASA 5525 ICMP Bypass not working

I do not think that problem with OS of the server. Host Firewalls are disabled. When i disable ICMP inspection from global policy ping works. I mean my problem is that when inspection is enabled bypass settings not working for icmp traffic but works for tcp. All inter,intra, acl confs are done beforehand

Re: ASA 5525 ICMP Bypass not working

Soo, I can solve the problem by disabling inspection from global policy. Creating new class unders global policy map which no matching interesting traffic and matching any any and inspect. This way i eleminated by reply traffic from inspection and all other stuff still inspected