cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3042
Views
15
Helpful
8
Replies

ASA5515 - deny ICMP dst outside

NetAdmin2
Level 1
Level 1

I get an error some in a while about Google DNS:

%ASA-4-117145: 
Deny icmp src Z245:172.23.123.67 dst OUTSIDE:8.8.8.8 
(type 3, code 3) by access-group "Z245_access_in" 

I'm trying to understand it, but my mind is frozen.

I have to permit icmp for Z245_access_in ? to get to Google DNS ?

How the command should be ?

 

Thank you.

3 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.

If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.

View solution in original post

your command should be in this fashion. looking into your icmp code

ICMP: Type = 3 (Destination unreachable)

 

 

access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply

 

 

please do not forget to rate.

View solution in original post

if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.

 

show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

 

<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
please do not forget to rate.

View solution in original post

8 Replies 8

ICMP port unreachable this is the meaning for this code, 
can I see the NAT and ACL for this connection ?

Hi MHM Cisco World,

The network path: Router -> Switch -> Firewall ASA -> Switch -> F5 -> host container (NTCP-172.23.123.67/[68])

Router:

The NAT is static, and is done on the router, using route-map + ACL

 

ip nat inside source static NTCP-172.23.123.67 134.23.123.67 route-map permit-134.23.123.67 extendable no-alias

route-map permit-134.23.123.67 permit 10
match ip address LIST-permit-134.23.123.67
match interface FastEthernet0/1/0
!

ip access-list extended LIST-permit-134.23.123.67
permit ip host 172.23.123.67 host 8.8.8.8
permit ip host 172.23.123.68 host 8.8.4.4

 

ASA:

the ACL for Z245_access_in:

 

object-group service DM_INLINE_SERVICE_237
service-object object TCP-53
service-object object UDP-53

object-group network DM_INLINE_NETWORK_131
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68

object-group network DM_INLINE_NETWORK_132
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8

access-list Z245_access_in extended permit object-group DM_INLINE_SERVICE_237 object-group DM_INLINE_NETWORK_131 object-group DM_INLINE_NETWORK_132
access-list Z245_access_in extended deny tcp any any eq smtp log disable inactive
access-list Z245_access_in extended deny ip any any

 

the ACL for OUTSIDE_access_out:

 

object-group service DM_INLINE_SERVICE_238
service-object object TCP-53
service-object object UDP-53

object-group network DM_INLINE_NETWORK_133
network-object object NTCP-172.23.123.67
network-object object NTCP-172.23.123.68

object-group network DM_INLINE_NETWORK_134
network-object object Google-DNS-8.8.4.4
network-object object Google-DNS-8.8.8.8

access-list OUTSIDE_access_out extended permit object-group DM_INLINE_SERVICE_238 object-group DM_INLINE_NETWORK_133 object-group DM_INLINE_NETWORK_134

 

Where is ip sla config?

Marvin Rhoads
Hall of Fame
Hall of Fame

The deny is for icmp (used by ping and traceroute) - not for DNS per se. Sometimes I have seen ACLs that allow DNS (or other things) explicitly and then the implicit deny will block icmp. To test DNS to 8.8.8.8 use nslookup and specify 8.8.8.8 as the server.

If you want to allow the icmp then, yes, it would need to be added to the Z245_access_in ACL. The exact syntax depends on how the access-list is currently constructed.

I think he use 8.8.8.8 as destination for IP SLA  imp echo

your command should be in this fashion. looking into your icmp code

ICMP: Type = 3 (Destination unreachable)

 

 

access-list Z245_access_in line 1 extended permit icmp host 172.23.123.67 host 8.8.8.8 echo-reply

 

 

please do not forget to rate.

So If you use IP SLA then 
and you config the ACL then will permit only echo request 
but what about the port unreachable and other icmp message, it by default drop.
you need to permit it.

NOTE:- 
if you generate the traffic from inside "which I sure" then you don't need any ACL in outside interface 
only need icmp inspection.

if you use SLA on ASA the syslog message would be in this manner. i just test this on my ASA.
where my configuration are simple and default.

 

show sla monitor configuration 1
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

 

<166>:Feb 13 15:44:40 UTC: %ASA-session-6-302020: Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.8.108/42424 laddr 192.168.8.108/42424 type 8 code 0
please do not forget to rate.
Review Cisco Networking for a $25 gift card