Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2136
Views
0
Helpful
4
Replies

ICMP permitted but still being denied by ip deny any any

nathan demers
Level 1
Level 1

‎07-26-2012 07:13 AM - edited ‎03-11-2019 04:35 PM

ok real simple Im sure.

I have allowed an object-group to access outside interfaces of some international devices for monitoring up status.  I know the object-group works because I'm able to monitor other IPs. 

Lets say the host in question in this group is a.b.c.d

--The Obj Group--

object-group network network-devices_monitoring_external

description Externally facing interfaces of international devices

network-object host a.b.c.d

--The ACL--

access-list Company-IN line 185 extended permit icmp object-group zenoss-monitoring object-group network-devices_monitoring_external echo

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the packet-tracer input

(I have double chcked the source ip.  Besides it works for other destination IPs)

packet-tracer input XanGo icmp 10.1.12.144 8 0 a.b.c.d detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xccd57130, priority=1, domain=permit, deny=false

        hits=36284608254, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group Company-IN in interface Company

access-list Company-IN extended deny ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcca36b80, priority=12, domain=permit, deny=true

        hits=259417637, user_data=0xca3b2a80, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: "Company"

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-26-2012 09:21 AM

If you are trying to ping the outside interface ip address of the ASA, then you would need to configure the "icmp" command instead of the access-list on the outside interface. If you don't have any "icmp" command, the default action is to allow ping. However, if you have existing "icmp" command, and if your monitoring host is not listed as allow then it will be denied.

Eg:

icmp permit echo Outside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728

0 Helpful

nathan demers
Level 1
Level 1
In response to Jennifer Halim

‎07-26-2012 10:19 AM

So I guess I should have been a bit clearer. I am passing THROUGH the ASA out to the internet to reach a remote device.

Zenoss ---> ASA ----> Internet --> Remote device

Ramrai mentioned that I need echo reply on the Outside interface for replies but shouldnt that be irrelevant for the following two reasons?

1.  Some of the hosts in the object-group work. Meaning zenoss can ping them and get a reply. So the ACL in theory should be correct and echo replies are passing through the Outside interface back to zenoss.

2. ASA firewalls are stateful so as long as the ACL permits the initiator (zenoss) to ping out to remote device the ASA should allow the echo reply to pass through back to zenoss.

Thoughts on this?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to nathan demers

‎07-26-2012 10:24 AM

Yes to both your points 1 & 2.

Also assuming that you have configured "inspect icmp".

BTW, are you saying that you have hosts in the object-group, and all is working fine but 1 particular remote host is not pingable?

Can you pls share your config and advise which ip is not working.

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-26-2012 09:26 AM

Hi Bro

You need ICMP enabled on the incoming interface, and ECHO REPLY on the return interface. If you need the assistance of the people here, please do paste your config here, so that we can tell you excatly, what's right and what's wrong.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card