Solved: Re: ASA-5516 ping between interfaces (icmp inspection ON, same-security-trafic PERMIT)

KonstantinRav60956 · ‎11-30-2020

Hi everyone.

I am setting up a new Cisco ASA 5516-X and have a problem.
I have the ASA connected to two LANs (no internet connection)
interface inside - 10.50.0.1
interface tun - 10.1.200.18 (point-to-point network between 2 ASAs to route between branches, the next hop is 10.1.200.17)
There is no ping between them.
When I am trying to ping 10.1.200.18 (and everything behind it) I get an error:

r5516# packet-tracer input inside icmp 10.50.0.1 8 0 10.1.20.18

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.200.17 using egress ifc tun

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: tun
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

It seems that my traffic is blocked by implicit rule "deny all"
But I sort of have all the ACLs needed though...

!
interface GigabitEthernet1/1.17
vlan 17
nameif tun
security-level 100
ip address 10.1.200.18 255.255.255.252

!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.50.0.1 255.255.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.200.17, tun
C 10.1.200.16 255.255.255.252 is directly connected, tun
L 10.1.200.18 255.255.255.255 is directly connected, tun
...
C 10.50.0.0 255.255.0.0 is directly connected, inside
L 10.50.0.1 255.255.255.255 is directly connected, inside

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any tun
icmp permit any echo tun
icmp permit any echo-reply tun

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!

# show running-config access-list
access-list outbound extended permit icmp any any

access-group outbound in interface inside
access-group outbound out interface inside
access-group outbound in interface tun
access-group outbound out interface tun
access-group outbound global

I`ve tried to delete all the ACL and lower security level on interface tun - no luck.
Have no nat since don`t need internet access and all the networks are known between routers, there are routes...

Thanks in advance for any assistance!

Karsten Iwen · ‎12-01-2020

You are just testing it in a wrong way (for the inner working of the ASA). Do a real test from an inside PC or use packet-tracer with the source-IP of an inside PC and not the ASAs inside IP address.

View solution in original post

Karsten Iwen · ‎12-01-2020

You are just testing it in a wrong way (for the inner working of the ASA). Do a real test from an inside PC or use packet-tracer with the source-IP of an inside PC and not the ASAs inside IP address.

KonstantinRav60956 · ‎12-15-2020

Karsten, you were right! I just had no physicall access to 'inside' network so I couldn`t try it for real. But when I finally tried to ping outside networks from a real PC it worked! Thanks a lot!