cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6705
Views
10
Helpful
10
Replies

ICMP Pings Blocked

beatinger
Level 1
Level 1

I currently have the following ACL.  I am unable to ping any server at any external/public IP.  I am not sure why.

How would I go about fixing this?  Thank you very much!

 

access-list outside_access_in extended deny ip 51.222.38.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 65.197.196.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 212.70.149.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 114.231.8.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any4 object DNS-Server eq domain
access-list outside_access_in extended permit udp any4 object DNS-Server eq domain
access-list outside_access_in extended permit tcp any4 object WebServerIIS10 eq https
access-list outside_access_in extended permit tcp any4 object WebServerIIS10 eq www
access-list outside_access_in extended permit tcp any4 object Sendmail eq smtp
access-list outside_access_in extended permit tcp any4 object Sendmail eq 587
access-list outside_access_in extended permit tcp any4 object Sendmail eq 465
access-list outside_access_in extended permit tcp any4 object Sendmail eq pop3
access-list outside_access_in extended permit tcp any4 object Sendmail eq imap4
access-list outside_access_in extended permit tcp any4 object Sendmail eq 990
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object WebServerIIS10 eq 3389
access-list outside_access_in extended permit tcp any4 object WebServerIIS80 eq https
access-list outside_access_in extended permit tcp any4 object WebServerIIS80 eq www
access-list outside_access_in extended permit tcp any4 object ExchangeServer eq www
access-list outside_access_in extended permit tcp any4 object ExchangeServer eq https
access-list outside_access_in extended permit tcp any4 object Sendmail eq domain
access-list outside_access_in extended permit udp any4 object Sendmail eq domain
access-list outside_access_in extended permit tcp any4 object NAS eq www
access-list outside_access_in extended permit tcp any4 object NAS eq https
access-list outside_access_in extended permit tcp any4 object NAS eq 5001
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object WebServerIIS80 eq 3389
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object Cisco-5540 eq ssh
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object Cisco-5540 eq telnet
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq https
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq www
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq ssh
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq 5869
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq telnet
access-list outside_access_in extended permit tcp any4 object SQL-Server eq 3389

1 Accepted Solution

Accepted Solutions

 

Hello Colby,

 

I tried your suggestion and many other combinations, and nothing except the following kept working (for ALL hosts):

 

access-list outside_access_in extended permit icmp any any

 

I kept trying to use your examples, but could not figure out how to limit pings to specific hosts or objects.  I even tried this:

 

access-list outside_access_in extended permit icmp object WebServerIIS10 any

Sometimes, it's just truly amazing how difficult it is to get something to work, which should be so simple.

 

So I kept working on it, and this is what finally worked:

 

access-list outside_access_in extended permit icmp any object WebServerIIS10

 

Voila!  It's all in the order on this one.

 

Thank you very much for your help!

 

 

View solution in original post

10 Replies 10

Colby LeMaire
VIP Alumni
VIP Alumni

There is not enough information in your post to be able to help for sure.  With the ASA, ICMP is not allowed through by default.  You can make sure that you have ICMP inspection turned on in your global policy map.  The other option is to allow the echo-reply packets back through with an ACL.  Your ACL has that entry; however, we don't know where this ACL is applied or even where you are pinging from and to.  Probably the easiest thing you can do to troubleshoot issues like this is to use packet-tracer at the CLI or in the ASDM GUI.  The following community thread may help to guide you a bit more in troubleshooting this issue:

https://community.cisco.com/t5/network-security/packet-tracer-icmp-type-and-code/m-p/2553216

Hello Colby,

 

Thank you very much for your reply.  I am in the ASDM now, and cannot find anything related to "ICMP inspection", nor can I find anything about "global policy map."  So I looked up "ICMP Inspection" under "Help" in the ASDM, and found this:

 

ICMP Inspection
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.  However, ICMP traffic directed to an ASA interface is never inspected, even if you enable ICMP inspection. Thus, a ping (echo request) to an interface can fail under specific circumstances, such as when the echo request comes from a source that the ASA can reach through a backup default route.  For information on enabling ICMP inspection, see Configure Application Layer Protocol Inspection.

 

So, in the ASDM, I went into the "Service Policy Rules" area of the Firewall and found the "inspection_default" under the "global_policy" rule.  I edited this rule, and under "Rule Actions" checked the checkbox next to "ICMP", which I believe turns on ICMP inspection.  I applied this and saved the configuration, and I still cannot ping anything except the router IP itself.  I then tried to move the ICMP allow line higher up (before the DENY instructions).  And this did not work either.

 

I therefore have cut and past the entire configuration here, so that it may be possible to figure out why I cannot ping any of the hosts from their outside IPs:

 

ciscoasa5540(config)# show config
: Saved
:
: Serial Number: JMX1112L1JH
: Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
: Written by enable_15 at 18:58:16.389 UTC Tue Aug 4 2020
!
ASA Version 9.1(7)32
!
hostname ciscoasa5540
domain-name edenhosting.net
enable password ZPTx1zDL8pJ7Ffwu encrypted
passwd ZPTx1zDL8pJ7Ffwu encrypted
names
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
name 10.1.252.245 DNS-Server description Primary DNS Server (91)
name 10.1.252.190 SQL-Primary description Primary MS-SQL Server (87)
name 10.1.252.254 Cisco-5540 description Cisco 5540 Firewall (90)
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.43.6.90 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address Cisco-5540 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Access the ASA using Telnet from another server on the network without the ADSM or COM port.
nameif telnetalternate
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
banner login Eden USA Cisco-5540
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone UTC -8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server DNS-Server
name-server 8.8.8.8
domain-name edenhosting.net
object network SQL-Primary
host 10.1.252.190
object network WebServerIIS10
host 10.1.252.250
object network WebServerIIS80
host 10.1.252.249
object network Sendmail
host 10.1.252.219
object network ExchangeServer
host 10.1.252.247
object network DRAC-WebServer
host 10.1.252.191
object network NAS
host 10.1.252.246
object network DRAC-VirtualServer
host 10.1.252.192
object network DNS-Server
host 10.1.252.245
object network SQL-Server
host 10.1.252.190
object network Cisco-5540
host 10.1.252.254
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended deny ip 51.222.38.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 65.197.196.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 212.70.149.0 255.255.255.0 any4
access-list outside_access_in extended deny ip 114.231.8.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any4 object DNS-Server eq domain
access-list outside_access_in extended permit udp any4 object DNS-Server eq domain
access-list outside_access_in extended permit tcp any4 object WebServerIIS10 eq https
access-list outside_access_in extended permit tcp any4 object WebServerIIS10 eq www
access-list outside_access_in extended permit tcp any4 object Sendmail eq smtp
access-list outside_access_in extended permit tcp any4 object Sendmail eq 587
access-list outside_access_in extended permit tcp any4 object Sendmail eq 465
access-list outside_access_in extended permit tcp any4 object Sendmail eq pop3
access-list outside_access_in extended permit tcp any4 object Sendmail eq imap4
access-list outside_access_in extended permit tcp any4 object Sendmail eq 990
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object WebServerIIS10 eq 3389
access-list outside_access_in extended permit tcp any4 object WebServerIIS80 eq https
access-list outside_access_in extended permit tcp any4 object WebServerIIS80 eq www
access-list outside_access_in extended permit tcp any4 object ExchangeServer eq www
access-list outside_access_in extended permit tcp any4 object ExchangeServer eq https
access-list outside_access_in extended permit tcp any4 object Sendmail eq domain
access-list outside_access_in extended permit udp any4 object Sendmail eq domain
access-list outside_access_in extended permit tcp any4 object NAS eq www
access-list outside_access_in extended permit tcp any4 object NAS eq https
access-list outside_access_in extended permit tcp any4 object NAS eq 5001
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object WebServerIIS80 eq 3389
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object Cisco-5540 eq ssh
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object Cisco-5540 eq telnet
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq https
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq www
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq ssh
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq 5869
access-list outside_access_in extended permit tcp 76.170.247.0 255.255.255.0 object DRAC-VirtualServer eq telnet
access-list outside_access_in extended permit tcp any4 object SQL-Server eq 3389
pager lines 24
logging enable
logging asdm informational
logging from-address support@edenhosting.net
logging recipient-address support@edenhosting.net level critical
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu telnetalternate 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network SQL-Primary
nat (inside,outside) static 12.43.6.87
object network WebServerIIS10
nat (inside,outside) static 12.43.6.88
object network WebServerIIS80
nat (inside,outside) static 12.43.6.93
object network Sendmail
nat (inside,outside) static 12.43.6.92
object network ExchangeServer
nat (inside,outside) static 12.43.6.94
object network NAS
nat (inside,outside) static 12.43.6.86
object network DNS-Server
nat (inside,outside) static 12.43.6.91
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact

fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 management
auth-prompt accept You have been accepted into the CISCO ASA5540!
auth-prompt reject You have been rejected from the CISCO ASA5540!
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca

  <REMOVED for brevity>
quit
telnet 10.1.252.0 255.255.255.0 inside
telnet 172.16.1.0 255.255.255.0 telnetalternate
telnet timeout 10
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.1.252.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 60 burst-rate 400 average-rate 200
ntp server WebServerIIS80 source inside prefer
tftp-server inside WebServerIIS80 C:
username BjorgenEatinger password 3/wjPR32AjZdSzcQ encrypted
!

class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
!
!
policy-map type inspect http HTTP-LowSecurityLevel
description HTTP Security
parameters
protocol-violation action drop-connection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
policy-map type inspect dns DNS-MediumSecurityLevel
parameters
message-length maximum client 4096
message-length maximum 4096
message-length maximum server 4096
id-randomization
id-mismatch action log
policy-map type inspect netbios NetBIOS-MediumSecurityLevel
description NetBIOS
parameters
protocol-violation action drop log
policy-map type inspect esmtp ExtendedSMTP

parameters
no allow-tls
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
drop-connection log
!
service-policy global_policy global
smtp-server 10.1.252.219 10.1.252.250
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:55753bad8859d2eb0dc5ed30b0086a7c
ciscoasa5540(config)#

 

I honestly do not know what it going on.  Thank you very much for your help!

 

 

 

 

Try using packet-tracer on the ASA to see if the problem is even with the ASA.  Another device could be blocking ICMP or it could be a routing issue.  In ASDM, click on Tools->Packet Tracer.  Then fill in the options and it will tell you what is happening, if there is a problem, and where the problem is.  Following is a YouTube video showing how to use packet tracer:

https://www.youtube.com/watch?v=CXK_UbxsQNg

Hello Colby.

 

Thank you very much for your reply.  I watched the YouTube video, and it deals with pings from the INSIDE to the OUTSIDE, which works fine in my case.  I am trying to ping from OUTSIDE the network (using my desktop computer or cell phone), to the PUBLIC IPs (e.g., 12.43.6.88).  This is what does not work, and it should.  No servers, whether they be Linux, a Synology NAS, or Windows, will reply, so there is an issue with this firewall configuration.  The ONLY IP that will reply is the Cisco ASA itself, which is at 12.43.6.90.

Packet-tracer works from any direction.  But now that you explained a little better, I see the issue.  I thought you were trying to ping from your inside network to the Internet.  In that case, you would need the echo-reply packets to be allowed in your ACL or the ICMP inspection turned on.  But you are pinging from the outside to the inside.  In that case, your ACL needs to permit echo-request as well.  The way you have it written, you are only allowing reply packets.  Since you have ICMP inspection turned on now, just modify your existing icmp entry in your ACL to replace "echo-reply" with "echo-request".

Hello Colby,

 

Thank you for all of your suggestions.  I found that I could not change the existing configuration line from "echo-reply" to "echo request."  I would receive an error, pointing at the word "request."  So, I used the ASDM to "+Add" a new Access Rule for ICMP, and then went and looked at the CLI, and found that it had added this simple line:

 

access-list outside_access_in extended permit icmp any any

 

And now it works!  Sometimes, I wonder why Cisco makes things so difficult to understand and implement.  Thank you again for all of your help!  Unfortunately of course, it is already getting hammered by hackers on the outside.  Do you know of a way that the rate of use can be limited?  Thank you very much!

You should only allow what you absolutely need.  So you can modify your ACL to only allow ICMP to the servers that you want to allow.  Also, try to modify the line to just "echo" instead of "echo-request".  I said echo-request previously but echo is the same thing.

How is the ACL modified to allow pings to just a specific server?
Also, do you know if there is a rate limiter somewhere that I can use to limit the amount of times an IP can be blocked and then SHUNNED, or something.
I have an IP that is nailing our network at a high rate.

Using three of your servers as an example, this is what your ACL lines would look like:

permit icmp any4 host 12.43.6.86 echo

permit icmp any4 host 12.43.6.87 echo

permit icmp any4 host 12.43.6.88 echo

You can also deny the source of the bad traffic if it continues to hit your network.

 

Hello Colby,

 

I tried your suggestion and many other combinations, and nothing except the following kept working (for ALL hosts):

 

access-list outside_access_in extended permit icmp any any

 

I kept trying to use your examples, but could not figure out how to limit pings to specific hosts or objects.  I even tried this:

 

access-list outside_access_in extended permit icmp object WebServerIIS10 any

Sometimes, it's just truly amazing how difficult it is to get something to work, which should be so simple.

 

So I kept working on it, and this is what finally worked:

 

access-list outside_access_in extended permit icmp any object WebServerIIS10

 

Voila!  It's all in the order on this one.

 

Thank you very much for your help!