Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1501
Views
0
Helpful
4
Replies

ASA 8.2(5)26 - ICMP echo request denied on outside?

tomeq82
Level 1
Level 1

‎01-15-2013 03:28 AM - edited ‎03-11-2019 05:47 PM

Hi,

I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:

%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.

I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?

Greets,

Tomek

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2013 03:37 AM

Hi,

Where is the host located that is trying to ICMP the ASA outside IP address?

If its behind some other interface of the ASA other than "outside" then the ICMP wont succeed.

- Jouni

0 Helpful

Karsten Iwen
VIP
VIP

‎01-15-2013 03:42 AM

Access-control to the ASA is never done in interface-acl. So remove everything that you've put in there while testing.

By default, the ASA allows ping also to the outside interface. You only need to allow that if you have other "icmp"-ruleas active. The command for this would be:

icmp permit host 1.2.3.4 echo outside

With the first icmp-command you issue, you vave a "deny the rest"-rule at the end of your icmp-statements. So if you want to allow other traffic like unreachables, they have to be allowed also.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Karsten Iwen

‎01-15-2013 04:21 AM

Just remark to this: "Access-control to the ASA is never done in interface-acl.".

Access controll can be done through interface ACL if that ACL is applied to control plane (using control-plane keyword in the end of access-group statement). But of course there's no such ACLs applied by default.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Andrew Phirsov

‎01-15-2013 04:33 AM

yes, but I didn't care about this specific feature (and I wouldn't name that a "normal" interface-acl ).

My point was that many admins put to-the-box rules into the "normal" interface-acls, perhaps because many admins are used to that from the router-config. I've seen that too many times and would consider that a misconfiguration.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card