Solved: ASA 8.4 ICMP not working on default NAT

ja raju · ‎05-24-2012

Hi guys,

I'm having issues with NAT dropping ICMP on default NAT. Do I need to create another NAT for ICMP? Please let me know. Thank you in advanced.

Here's the packet-tracer result:

firewall01# packet-tracer input inside icmp 172.23.1.74 0 10 8.8.8.8 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.23.0.0 255.255.224.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl.insidein in interface inside

access-list acl.insidein extended permit icmp any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad704a18, priority=13, domain=permit, deny=false

hits=1592851, user_data=0xaa7ce080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a05a8, priority=0, domain=inspect-ip-options, deny=true

hits=129691357, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a0180, priority=66, domain=inspect-icmp-error, deny=false

hits=1876454, user_data=0xad69f798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: DROP

Config:

object network obj_any

nat (inside,outside) dynamic public.Internet

Additional Information:

Forward Flow based lookup yields rule:

in id=0xae0e6120, priority=6, domain=nat, deny=false

hits=122449445, user_data=0xae0e4ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

firewall01#

Here I'm using tcp port 80, so the NAT works:

firewall01# packet-tracer input inside tcp 172.23.1.74 http 8.8.8.8 http detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.23.0.0 255.255.224.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl.insidein in interface inside

access-list acl.insidein extended permit ip object-group core.tmg any

object-group network core.tmg

network-object host core.TMG01

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad7057d0, priority=13, domain=permit, deny=false

hits=119460891, user_data=0xaa7cde00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=core.TMG01, mask=255.255.255.255, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a05a8, priority=0, domain=inspect-ip-options, deny=true

hits=129689554, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic public.Internet

Additional Information:

Dynamic translate core.TMG01/80 to xxx.xxx.xxx.xxx/450

Forward Flow based lookup yields rule:

in id=0xae0e6120, priority=6, domain=nat, deny=false

hits=122447673, user_data=0xae0e4ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xad67ae70, priority=0, domain=inspect-ip-options, deny=true

hits=128333347, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 131283289, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

firewall01#

Julio Carvajal · ‎05-24-2012

Hello Ja,

Please do it like this:

packet-tracer input inside icmp 172.23.1.74 8 0 8.8.8.8

Also if this does not work post the config

Regards,

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-24-2012

Hello Ja,

Please do it like this:

packet-tracer input inside icmp 172.23.1.74 8 0 8.8.8.8

Also if this does not work post the config

Regards,

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ja raju · ‎05-24-2012

That seems to be working. However, users are still unable to ping to the Internet.

firewall01# packet-tracer input inside icmp 172.23.1.74 8 0 8.8.8.8 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.23.0.0 255.255.224.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl.insidein in interface inside

access-list acl.insidein extended permit icmp any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad704a18, priority=13, domain=permit, deny=false

hits=1593070, user_data=0xaa7ce080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a05a8, priority=0, domain=inspect-ip-options, deny=true

hits=129769884, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a0180, priority=66, domain=inspect-icmp-error, deny=false

hits=1876742, user_data=0xad69f798, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic public.Internet

Additional Information:

Dynamic translate core.TMG01/0 to xxx.xxx.xxx.xxx/61416

Forward Flow based lookup yields rule:

in id=0xae0e6120, priority=6, domain=nat, deny=false

hits=122527286, user_data=0xae0e4ba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 131363984, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

firewall01#

ja raju · ‎05-24-2012

Got the icmp to work. I think it's the 'real IP' NAT feature of 8.3+ that was causing the issue.

Thanks jcarvaja.

Julio Carvajal · ‎05-24-2012

Hello Ja,

Hmm estranged well the packet tracer said it should work.. A capture could have told us what was happening here.

Anyway good to know that everything is working now

Please mark the question as answered so future users can learn from this..

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC