Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2669
Views
15
Helpful
8
Replies

ASA5515 - deny ICMP dst outside

Go to solution
NetAdmin2
Level 1
Level 1

‎02-12-2021 10:15 AM - edited ‎02-12-2021 10:16 AM

I get an error some in a while about Google DNS:

%ASA-4-117145: 
Deny icmp src Z245:172.23.123.67 dst OUTSIDE:8.8.8.8 
(type 3, code 3) by access-group "Z245_access_in"

I'm trying to understand it, but my mind is frozen.

I have to permit icmp for Z245_access_in ? to get to Google DNS ?

How the command should be ?

 

Thank you.

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-12-2021 10:13 PM - edited ‎02-12-2021 10:14 PM

The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.

If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.

View solution in original post

Go to solution
Sheraz.Salim
VIP
VIP

‎02-13-2021 06:33 AM - edited ‎02-13-2021 07:12 AM

your command should be in this fashion. looking into your icmp code

ICMP: Type = 3 (Destination unreachable)

 

 

access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply

 

 

please do not forget to rate.

View solution in original post

Go to solution
Sheraz.Salim
VIP
VIP
In response to MHM Cisco World

‎02-13-2021 07:33 AM

if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.

 

show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

 

<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
please do not forget to rate.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎02-12-2021 12:07 PM

ICMP port unreachable this is the meaning for this code, 
can I see the NAT and ACL for this connection ?

0 Helpful

Go to solution
NetAdmin2
Level 1
Level 1
In response to MHM Cisco World

‎02-15-2021 04:54 PM - edited ‎02-15-2021 05:01 PM

Hi MHM Cisco World,

The network path: Router -> Switch -> Firewall ASA -> Switch -> F5 -> host container (NTCP-172.23.123.67/[68])

Router:

The NAT is static, and is done on the router, using route-map + ACL

 

ip nat inside source static NTCP-172.23.123.67 134.23.123.67 route-map permit-134.23.123.67 extendable no-alias

route-map permit-134.23.123.67 permit 10
match ip address LIST-permit-134.23.123.67
match interface FastEthernet0/1/0
!

ip access-list extended LIST-permit-134.23.123.67
permit ip host 172.23.123.67 host 8.8.8.8
permit ip host 172.23.123.68 host 8.8.4.4

 

ASA:

the ACL for Z245_access_in:

 

object-group service DM_INLINE_SERVICE_237
service-object object TCP-53
service-object object UDP-53

object-group network DM_INLINE_NETWORK_131
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68

object-group network DM_INLINE_NETWORK_132
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8

access-list Z245_access_in extended permit object-group DM_INLINE_SERVICE_237 object-group DM_INLINE_NETWORK_131 object-group DM_INLINE_NETWORK_132
access-list Z245_access_in extended deny tcp any any eq smtp log disable inactive
access-list Z245_access_in extended deny ip any any

 

the ACL for OUTSIDE_access_out:

 

object-group service DM_INLINE_SERVICE_238
service-object object TCP-53
service-object object UDP-53

object-group network DM_INLINE_NETWORK_133
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68

object-group network DM_INLINE_NETWORK_134
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8

access-list OUTSIDE_access_out extended permit object-group DM_INLINE_SERVICE_238 object-group DM_INLINE_NETWORK_133 object-group DM_INLINE_NETWORK_134

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to NetAdmin2

‎02-15-2021 05:40 PM

Where is ip sla config?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-12-2021 10:13 PM - edited ‎02-12-2021 10:14 PM

The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.

If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.

Go to solution
MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎02-13-2021 06:52 AM

I think he use 8.8.8.8 as destination for IP SLA  imp echo

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎02-13-2021 06:33 AM - edited ‎02-13-2021 07:12 AM

your command should be in this fashion. looking into your icmp code

ICMP: Type = 3 (Destination unreachable)

 

 

access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply

 

 

please do not forget to rate.

Go to solution
MHM Cisco World
VIP
VIP

‎02-13-2021 07:01 AM - edited ‎02-13-2021 07:13 AM

So If you use IP SLA then 
and you config the ACL then will permit only echo request 
but what about the port unreachable and other icmp message, it by default drop.
you need to permit it.

NOTE:- 
if you generate the traffic from inside "which I sure" then you don't need any ACL in outside interface 
only need icmp inspection.

Go to solution
Sheraz.Salim
VIP
VIP
In response to MHM Cisco World

‎02-13-2021 07:33 AM

if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.

 

show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

 

<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card