Inspect: icmp, packet 3745, drop 337, reset-drop 0.  Thanks

Randy,

Can you please post the  "sh logging" output and also the access-list + access-group for the outside interface.

Also are you tring to ping the outside interface from inside the firewall or from outside nuetral location ?

Manish

It might be foolish to ask but did you apply the access-list on the interface ??

if yes then :-

1> Please provide the version running on the asa ?

2> paste output from  :-

     asa# packet-tracer input outside icmp x.x.x.x ( remote ip add)  8 0 X.X.X.X ( outside interface ip ) detailed

Manish

yes I created the access-rule in asdm

ver 8.2(2)

Phase: 1

Type: CP-PUNT

Subtype: l2-selective

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcac596e0, priority=12, domain=punt, deny=false

        hits=487, user_data=0xca8d9b20, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9982370, priority=1, domain=permit, deny=false

        hits=5439727, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in     255.255.255.255 identity

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9983b90, priority=120, domain=permit, deny=false

        hits=7629, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9984aa8, priority=0, domain=inspect-ip-options, deny=true

        hits=1348069, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcaa2a028, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=26, user_data=0xce47464, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9984280, priority=66, domain=inspect-icmp, deny=false

        hits=7662, user_data=0xc9984168, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9984720, priority=66, domain=inspect-icmp-error, deny=false

        hits=1308719, user_data=0xc9984608, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca811740, priority=70, domain=encrypt, deny=false

        hits=26, user_data=0xce2a3ec, cs_id=0xca5aa648, reverse, flags=0x0, protocol=0

        src ip=, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Do you have the source and destination ip address in any vpn interesting traffic acl ?

Drop-reason: (ipsec-spoof) IPSEC Spoof detected :-

This counter will increment when the security appliance receives a  packet which should have been encrypted but was not. The packet matched  the inner header security policy check of a configured and established  IPSec connection on the security appliance but was received unencrypted.  This is a security issue.

Manish

I'm using Easy VPN

You should post your configuration ( remove passwords and change public ip's like 1.1.1.1 = 1.x.x.1 ) , I think there is some misconfiguration that is causing the firewall to see ICMP packets from your source as encrypted where as it should be encrypted.

Manish

Check if ICMP Inspect is enabled in the global policy-map.

ICMP inspect is enabled.  Thanks Tim.

The address on the outside interface that we are trying to ping is assigned via DHCP.. Below is the running config.  We are using Easy VPN to establish a VPN connection back to our office.  

ASA Version 8.2(2)

!

hostname ASA5505

domain-name

enable password encrypted

passwd encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.11.49 255.255.255.240

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging buffer-size 16000

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

asdm image disk0:/asdm-634-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.0.0.0 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 30

management-access inside

dhcpd lease 86400

dhcpd domain us

dhcpd auto_config outside

dhcpd option 150 ip 10.20.20.11 10.20.20.12

!

dhcpd address 192.168.11.50-192.168.11.62 inside

dhcpd dns 10.20.16.4 10.20.16.3 interface inside

dhcpd domain interface inside

dhcpd enable inside

!

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup Kiosk password

vpnclient username branch password

vpnclient enable

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.20.0.1 source inside prefer

webvpn

username

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCESer

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

asdm image disk0:/asdm-634-53.bin

no asdm history enable

I tried 'icmp permit any outside' on eth0/0 with no success.  It's really frustrating.. Thanks for the suggestions.