Solved: ASA 5525 ICMP Bypass not working

orkhan.rustamli.96 · ‎12-17-2018

Hello everyone. I have a problem that has to be solved immediately. I took photo from cisco webpage that is identical to my design on particular interface. just the ip addresses are different but i will ask using ip addresses in the photo.

So requirement is this way:

192.168.1.10 <---> 192.168.2.10 ICMP

192.168.1.10 <---> 192.168.2.10 80

192.168.1.10 <---> 192.168.2.10 443

But as you already understood initial traffic goes from router into server directly and answer comes through ASA and it creates problem. I permitted all possible reply traffic for all 3 protocol. And bypassed each of them through service policy. HTTP and HTTPS worked properly but 192.168.1.10 cannot ping 192.168.2.10. I tried different access-lists but no result. Finally i even permitted traffic from 192.168.2.10 into 192.168.1.10 with IP services and bypassed all IP services but ping still not working.

In my case 192.168.2.10 is 10.124.49.5 and 192.168.1.10 is 10.124.41.104. As you see from ss that even acl hits are recorded. But ping is not working.

What can be a problem?

orkhan.rustamli.96 · ‎12-17-2018

Soo, I can solve the problem by disabling inspection from global policy. Creating new class unders global policy map which no matching interesting traffic and matching any any and inspect. This way i eleminated by reply traffic from inspection and all other stuff still inspected

View solution in original post

Kasun Bandara · ‎12-17-2018

Hi Orkhan,

enable ICMP inspection in service policy.

ref - https://www.petenetlive.com/KB/Article/0000351

*** Pls rate all useful responses ***
Good Luck

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

orkhan.rustamli.96 · ‎12-17-2018

Already enabled

Kasun Bandara · ‎12-17-2018

1 - try enabling ICMP protocol in ACLs
2 - allow intra and inter same security level traffic

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Rob Ingram · ‎12-17-2018

As @Kasun Bandara suggested enter the command - same-security-traffic permit intra-interface this is because you are routing to/from the same inside interface.

orkhan.rustamli.96 · ‎12-17-2018

That is also done

Kasun Bandara · ‎12-17-2018

what is the OS you are using on http server? try turn off the Host firewall. may be its blocking the ping reply.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

orkhan.rustamli.96 · ‎12-17-2018

As it seems from photos i enabled acl and inter and intra

Kasun Bandara · ‎12-17-2018

Hi,

you can enable them as below capture. you can tick them and apply. also disable Host firewall in server.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

orkhan.rustamli.96 · ‎12-17-2018

I do not think that problem with OS of the server. Host Firewalls are disabled. When i disable ICMP inspection from global policy ping works. I mean my problem is that when inspection is enabled bypass settings not working for icmp traffic but works for tcp. All inter,intra, acl confs are done beforehand

orkhan.rustamli.96 · ‎12-17-2018

Soo, I can solve the problem by disabling inspection from global policy. Creating new class unders global policy map which no matching interesting traffic and matching any any and inspect. This way i eleminated by reply traffic from inspection and all other stuff still inspected