Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
5
Helpful
3
Replies

ASA5520 Deny inbound icmp while icmp inspect configured

edhunterr
Level 1
Level 1

‎12-07-2021 04:38 AM - edited ‎12-07-2021 04:50 AM

Hi all,

 

I have an ASA5520-K8 on V 9.1(7)32 for my ISP firewall.

 

I have routed through this ASA all traffic going towards a hosted PBX on the internet which comes from softphones.

I have an internet interface and a transit interface (towards my gw)

We have issues with choppy voice.

 

I get a lot of these messages:

 

 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)
 %ASA-3-106014: Deny inbound icmp src internet:34.76.xx.xx dst transit:172.24.0.185 (type 3, code 3)

 

34.76.xx.xx is the hosted PBX, 172.24.0.185 is the caller.

 

I understand that type 3 code 3 is unreachable port. All traffic coming from the softphone is udp, non marked.

Im trying to determine firstly, if this indicates an issue on my side (on the ASA), i understand udp traffic is ok since calls are executed and traffic is going through as i determined with a capture ->

 

2178 packets captured

1: 09:53:16.415963 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 4
2: 09:53:17.863084 172.24.0.135.5060 > 34.76.xx.xx.5060: udp 4
3: 09:53:46.414819 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 4
4: 09:53:47.862000 172.24.0.135.5060 > 34.76.xx.xx.5060: udp 4
5: 09:53:49.777059 34.76.xx.xx.5060 > 172.24.1.121.5060: udp 419
6: 09:53:49.780736 172.24.1.121.5060 > 34.76.xx.xx.5060: udp 358
7: 09:54:13.244692 34.76.xx.xx.5060 > 172.24.0.135.5060: udp 418

 

So i dont understand why i would be getting port unreachable icmp messages in the first place.

 

And second question is, why do i keep seeing the deny inbound icmp while i have icmp inspect configured? See below:

 

icmp unreachable rate-limit 10 burst-size 1

 

policy-map global_policy
  class inspection_default
    inspect icmp

 

Doesn't that mean that icmp messages should not be denied? Is there somewhere else i should be looking?

 

Thanks.

 

3 Replies 3

MHM Cisco World
VIP
VIP

‎12-08-2021 12:05 PM

UDP port is open so it can allow to enter the ASA from it outside interface 
ICMP inspection don't allow any echo reply, unreachable message to enter the ASA from it outside except the case that the echo request is from inside of ASA.

0 Helpful

edhunterr
Level 1
Level 1
In response to MHM Cisco World

‎12-10-2021 02:50 AM

Thank you for replying.

 

So, what would be the most fuss-free way to allow echo replies from outside? Creating an access list would require me to allow everything else i need because access lists have implicit deny in the end right?

 

Also, what do the port unreachable messages indicate? Its a two part issue/quesiton im asking, whether the icmp unreachable messages indicate an issue i should look into and also how to best allow echo replies from outside on the ASA.

 

Thanks again.

0 Helpful

edhunterr
Level 1
Level 1
In response to edhunterr

‎12-14-2021 01:03 AM

Any suggestions for easily allowing echo replies through?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card