02-21-2016 01:14 PM - edited 03-12-2019 12:22 AM
Hi all,
Not entirely convinced that I've not missed something very simple along the way but am looking for some help. Essentially I can't ping the outside interface of my ASA from another network several hops away. However I can ping devices on the 'inside' interface. I am guessing this some sort of ICMP policy stopping this or perhaps just the default behaviour of the ASA but I'm not sure what I've missed. I am running version 9.4.
Topology is as follows:
192.168.1.0 - Inside
192.168.10.0 - Outside
|
MPLS Network
|
192.168.20.0 - Remote site
Access lists as follows:
outside_out extended permit icmp any any object-group networksvc-ping
outside_in extended permit icmp any any object-group networksvc-ping
inside_outextended permit icmp any any object-group networksvc-ping
inside_in extended permit icmp any any object-group networksvc-ping
Applied to:
access-group outside_in in interface Outside
access-group outside_out out interface Outside
access-group inside_in in interface inside
access-group inside_out out interface inside
Also policy-maps:
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
Single default route via the inside. Couple of statics pointing to internal networks behind the inside interface. All inside interface IPs can be pinged. However from the outside I cannot ping the outside interface. Any ideas/thoughts? Can see nothing on the logs or via debug ICMP which makes me think its some sort of default behaviour that drops this traffic automatically. No nat if configured.
Thanks in advance, happy to post more config if needed.
Many thanks,
02-21-2016 01:15 PM
FYI networksvc-grp is as follows:
object-group icmp-type networksvc-ping
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable
02-21-2016 01:42 PM
Where is the PC located that you are pinging from? Is the outside interface the ingress interface for the ICMP packets? You may already know, but you can not ping an interface that is not the ingress interface on the ASA.
If this is not the case, try adding the command icmp permit any outside.
--
Please select a correct answer and rate helpful posts
02-21-2016 02:34 PM
Hi Maria
The PC is on the outside so the packet would be inbound on the outside interface. I did try the command you discussed previously but with no success. Thanks for taking the time to reply though
02-21-2016 02:37 PM
If you put a laptop on the same network as the outside interface, are you then able to ping the outside IP of the ASA?
--
Please select a correct answer and rate helpful posts
02-22-2016 01:40 PM
I'm not physically able to get near the device to try this at the moment Marius, however I will give this a go (I am reasonably sure this has worked in the past though as I think we tested this during deployment)
Cheer,
J
02-22-2016 01:54 PM
Another thing to check is if the ASA has a route back to the network you are pinging from.
--
Please select a correct answer and rate helpful posts
02-22-2016 01:22 PM
I'm pretty sure you just messed the 4 ACLs you're using on in/out for the two interfaces.
I suggest you use the now classic in direction for each of the two interfaces and so you get rid of two additional ACLs. Then carefully review the rest of applied ACLs.
If you still have issues run clear configure access-group and test again.
02-22-2016 01:39 PM
Hi Florin,
Originally the configuration had the traditional 'in' rules only. The outbound rules were added to see if they made any difference which they didn't. I've had it set where we have allowed ICMP in on both in the inside and outside interfaces yet still no dice.
Thanks for your input though.
J
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: