02-12-2021 10:15 AM - edited 02-12-2021 10:16 AM
I get an error some in a while about Google DNS:
%ASA-4-117145: Deny icmp src Z245:172.23.123.67 dst OUTSIDE:8.8.8.8 (type 3, code 3) by access-group "Z245_access_in"
I'm trying to understand it, but my mind is frozen.
I have to permit icmp for Z245_access_in ? to get to Google DNS ?
How the command should be ?
Thank you.
Solved! Go to Solution.
02-12-2021 10:13 PM - edited 02-12-2021 10:14 PM
The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.
If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.
02-13-2021 06:33 AM - edited 02-13-2021 07:12 AM
your command should be in this fashion. looking into your icmp code
ICMP: Type = 3 (Destination unreachable)
access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply
02-13-2021 07:33 AM
if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.
show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
02-12-2021 12:07 PM
ICMP port unreachable this is the meaning for this code,
can I see the NAT and ACL for this connection ?
02-15-2021 04:54 PM - edited 02-15-2021 05:01 PM
Hi MHM Cisco World,
The network path: Router -> Switch -> Firewall ASA -> Switch -> F5 -> host container (NTCP-172.23.123.67/[68])
Router:
The NAT is static, and is done on the router, using route-map + ACL
ip nat inside source static NTCP-172.23.123.67 134.23.123.67 route-map permit-134.23.123.67 extendable no-alias
route-map permit-134.23.123.67 permit 10
match ip address LIST-permit-134.23.123.67
match interface FastEthernet0/1/0
!
ip access-list extended LIST-permit-134.23.123.67
permit ip host 172.23.123.67 host 8.8.8.8
permit ip host 172.23.123.68 host 8.8.4.4
ASA:
the ACL for Z245_access_in:
object-group service DM_INLINE_SERVICE_237
service-object object TCP-53
service-object object UDP-53
object-group network DM_INLINE_NETWORK_131
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68
object-group network DM_INLINE_NETWORK_132
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8
access-list Z245_access_in extended permit object-group DM_INLINE_SERVICE_237 object-group DM_INLINE_NETWORK_131 object-group DM_INLINE_NETWORK_132
access-list Z245_access_in extended deny tcp any any eq smtp log disable inactive
access-list Z245_access_in extended deny ip any any
the ACL for OUTSIDE_access_out:
object-group service DM_INLINE_SERVICE_238
service-object object TCP-53
service-object object UDP-53
object-group network DM_INLINE_NETWORK_133
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68
object-group network DM_INLINE_NETWORK_134
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8
access-list OUTSIDE_access_out extended permit object-group DM_INLINE_SERVICE_238 object-group DM_INLINE_NETWORK_133 object-group DM_INLINE_NETWORK_134
02-15-2021 05:40 PM
Where is ip sla config?
02-12-2021 10:13 PM - edited 02-12-2021 10:14 PM
The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.
If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.
02-13-2021 06:52 AM
I think he use 8.8.8.8 as destination for IP SLA imp echo
02-13-2021 06:33 AM - edited 02-13-2021 07:12 AM
your command should be in this fashion. looking into your icmp code
ICMP: Type = 3 (Destination unreachable)
access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply
02-13-2021 07:01 AM - edited 02-13-2021 07:13 AM
So If you use IP SLA then
and you config the ACL then will permit only echo request
but what about the port unreachable and other icmp message, it by default drop.
you need to permit it.
NOTE:-
if you generate the traffic from inside "which I sure" then you don't need any ACL in outside interface
only need icmp inspection.
02-13-2021 07:33 AM
if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.
show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide