Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
1
Replies

Deny ICMP reverse path check from [ASA inside interface IP] to [NAT-translated outside IP] on interface outside

lrcai
Level 1
Level 1

‎12-04-2019 01:27 PM - edited ‎12-04-2019 01:33 PM

Hello. I've been trying to resolve some "Deny ICMP reserve path check" messages and I'm coming up short. Can someone solve this mystery?

 

I've got an ASA 5516-X connected on the outside interface at W.X.Y.Z and the inside interface as 192.168.4.1/24. My default NAT entry any interface IPs going to the outside interface to W.X.Y.Z. The inside interface connects to a Cisco access switch and VLAN with no ip or routing. I've got a PC at 192.168.4.2 on that same VLAN. Everything seems to be working great.

 

If I run "tracert -h 1 8.8.8.8" ("-h 1" means only take one hop and then end) on my PC I immediately get three of these in my ASA log:

Deny ICMP reverse path check from 192.168.4.1 to [W.X.Y.Z] on interface outside

 

It's clear why I get three; tracert is trying three times. But, the tracert actually works and I see 192.168.4.1 as my next hop. Plus, I see the blocked packet in a packet capture. A NAT translation has occurred.

 

Again, I don't have any issues with how my network is functioning, I just have these messages that I can't explain, and I wonder if I have something misconfigured. So, can someone provide some theories about what's happening and/or an explanation of something I don't understand? TIA.

Labels:
0 Helpful
1 Reply 1

lrcai
Level 1
Level 1

‎12-05-2019 01:48 PM

Updating with additional information:

 

When a single traceroute packet with TTL set to 1 arrives at the ASA, the ASA responds by sending two different "ICMP Time-to-live exceeded" packets. 

One is captured at the outside interface egress with source 192.168.4.1 and destination W.X.Y.Z. It has been NAT-translated. This one sets of the reverse path check.

The other is captured at the inside interface ingress with source 192.168.4.1 and destination 192.168.4.2. This one gets back to the PC traceroute call as expected.

Is this how it's supposed to work? What might I configure differently?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card