12-07-2021 04:38 AM - edited 12-07-2021 04:50 AM
Hi all,
I have an ASA5520-K8 on V 9.1(7)32 for my ISP firewall.
I have routed through this ASA all traffic going towards a hosted PBX on the internet which comes from softphones.
I have an internet interface and a transit interface (towards my gw)
We have issues with choppy voice.
I get a lot of these messages:
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
%ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
34.76.xx.xx is the hosted PBX, 172.24.0.185 is the caller.
I understand that type 3 code 3 is unreachable port. All traffic coming from the softphone is udp, non marked.
Im trying to determine firstly, if this indicates an issue on my side (on the ASA), i understand udp traffic is ok since calls are executed and traffic is going through as i determined with a capture ->
2178 packets captured
1: 09:53:16.415963 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 4
2: 09:53:17.863084 172.24.0.135.5060 > 34.76.xx.xx.5060: udp 4
3: 09:53:46.414819 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 4
4: 09:53:47.862000 172.24.0.135.5060 > 34.76.xx.xx.5060: udp 4
5: 09:53:49.777059 34.76.xx.xx.5060 > 172.24.1.121.5060: udp 419
6: 09:53:49.780736 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 358
7: 09:54:13.244692 34.76.xx.xx.5060 > 172.24.0.135.5060: udp 418
So i dont understand why i would be getting port unreachable icmp messages in the first place.
And second question is, why do i keep seeing the deny inbound icmp while i have icmp inspect configured? See below:
icmp unreachable rate-limit 10 burst-size 1
policy-map global_policy
class inspection_default
inspect icmp
Doesn't that mean that icmp messages should not be denied? Is there somewhere else i should be looking?
Thanks.
12-08-2021 12:05 PM
UDP port is open so it can allow to enter the ASA from it outside interface
ICMP inspection don't allow any echo reply, unreachable message to enter the ASA from it outside except the case that the echo request is from inside of ASA.
12-10-2021 02:50 AM
Thank you for replying.
So, what would be the most fuss-free way to allow echo replies from outside? Creating an access list would require me to allow everything else i need because access lists have implicit deny in the end right?
Also, what do the port unreachable messages indicate? Its a two part issue/quesiton im asking, whether the icmp unreachable messages indicate an issue i should look into and also how to best allow echo replies from outside on the ASA.
Thanks again.
12-14-2021 01:03 AM
Any suggestions for easily allowing echo replies through?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide