01-15-2013 03:28 AM - edited 03-11-2019 05:47 PM
Hi,
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
Greets,
Tomek
01-15-2013 03:37 AM
Hi,
Where is the host located that is trying to ICMP the ASA outside IP address?
If its behind some other interface of the ASA other than "outside" then the ICMP wont succeed.
- Jouni
01-15-2013 03:42 AM
Access-control to the ASA is never done in interface-acl. So remove everything that you've put in there while testing.
By default, the ASA allows ping also to the outside interface. You only need to allow that if you have other "icmp"-ruleas active. The command for this would be:
icmp permit host 1.2.3.4 echo outside
With the first icmp-command you issue, you vave a "deny the rest"-rule at the end of your icmp-statements. So if you want to allow other traffic like unreachables, they have to be allowed also.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-15-2013 04:21 AM
Just remark to this: "Access-control to the ASA is never done in interface-acl.".
Access controll can be done through interface ACL if that ACL is applied to control plane (using control-plane keyword in the end of access-group statement). But of course there's no such ACLs applied by default.
01-15-2013 04:33 AM
yes, but I didn't care about this specific feature (and I wouldn't name that a "normal" interface-acl ).
My point was that many admins put to-the-box rules into the "normal" interface-acls, perhaps because many admins are used to that from the router-config. I've seen that too many times and would consider that a misconfiguration.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide