Re: Can't ping from a higher security level to lower security level

DuzheldaneFrane2710 · ‎06-27-2019

Hi All,

I have a Cisco ASA 5520. I understand the basic concept of ASA. I have been reading a lot of articles and i studied ASA courses. All of them are saying "By default you can ping from a higher security level to a lower security level" but the problem is i can't seem to ping any host from a lower security level originating from a host from a higher security level. I turned on ICMP inspection, i still can't ping. I tried doing ACL i still can't ping. I tried global ACL rule, i can ping from low security level going to high security level but when i ping from higher to lower i can't. I'm absolutely confused.

balaji.bandi · ‎06-27-2019

since twe do not see your config, and what is the device model and ASA code verison running..

hope you have done inspect icmp ?

policy-map global_policy
   class inspection_default
   inspect icmp

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DuzheldaneFrane2710 · ‎06-28-2019

Hi,

I have enabled ICMP inspection in the global-policy and class-inspection_default. I still can't ping.

Model: ASA5520

Code Version:"disk0:/asa916-6-k8.bin"

balaji.bandi · ‎06-29-2019

What you see in the FW logs when the ping not allowed ? it would be nice to have some logs see why it dropping.

there may be some ACL rule order may be blocking ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mathias Garcia · ‎06-27-2019

Have you verified that the host on the lower security level does in fact respond to ping?
As in that it doesn't have a firewall blocking the ping.

Also have you tried using the ASA packet tracer tool to try and find out what (if anything) stops the icmp packet?

DuzheldaneFrane2710 · ‎06-28-2019

"Have you verified that the host on the lower security level does in fact respond to ping?
As in that it doesn't have a firewall blocking the ping."

Answer: Yes i did ping all of my host from ASA they are all responding but when i try to ping from a host from high security-level going to lower security-level, they don't seem to respond.

"Also have you tried using the ASA packet tracer tool to try and find out what (if anything) stops the icmp packet?"

Answer: Not yet. thanks for pointing this out. I will look into this.

Mathias Garcia · ‎07-08-2019

"Answer: Yes i did ping all of my host from ASA they are all responding but when i try to ping from a host from high security-level going to lower security-level, they don't seem to respond."

I would suggest to take another look to see if there is a host based firewall on the low sec host(s), a host based firewalls might allow ping from same subnet but not from different subnet. So ping from local ASA interface would work.

What OS are you running on these machines? I believe this is the default behavior in Win10(as well as 7 & 8) for example.

Also did you check with packet tracer on the ASA?

Or perhaps with a packet capture/wireshark to see if the ping reaches the low sec subnet.

GRANT3779 · ‎07-08-2019

I agree Mathias. What is being experienced does not reflect what the config shows or the behavior of the ASA in general.

Test by switching off windows firewall in Control Panel and also stop the service under services.msc (windows firewall).

DuzheldaneFrane2710 · ‎07-13-2019

"I would suggest to take another look to see if there is a host based firewall on the low sec host(s), a host based firewalls might allow ping from same subnet but not from different subnet. So ping from local ASA interface would work.

What OS are you running on these machines? I believe this is the default behavior in Win10(as well as 7 & 8) for example."

Answer: Host-based firewall is turned off but still i'm having the same result.

"Also did you check with packet tracer on the ASA?"

Answer: Yes. I checked the packet tracer tool on the ASA going from high-sec-lvl to low-sec-lvl (icmp-echo) the packet is allowed along with icmp-echo reply. I guess it works then, problem is i want the host to be able to ping across subnets and display the replies on each pc.

Or perhaps with a packet capture/wireshark to see if the ping reaches the low sec subnet.

Answer: No it doesn't reach the low-sec subnet. :(

GRANT3779 · ‎06-29-2019

Hi,
Are you saying at the moment you can ping between devices if the ping is initiated from a lower level security heading towards a higher level security?
But using the same hosts, if you initiate the ping from higher security level to the lower level it does not work?
Just trying to clarify what the current status is from your initial post.

DuzheldaneFrane2710 · ‎07-07-2019

"Hi,
Are you saying at the moment you can ping between devices if the ping is initiated from a lower level security heading towards a higher level security?
But using the same hosts, if you initiate the ping from higher security level to the lower level it does not work?
Just trying to clarify what the current status is from your initial post."

Answer: Yes. that is correct. That's what I'm currently experiencing right now.

GRANT3779 · ‎07-07-2019

Are you able to share the config minus any public information?
By default you should be able to go from high to low (if no ACL saying otherwise). If you want to go from low to High you will explicitly need to allow the desired access via an ACL.

DuzheldaneFrane2710 · ‎07-07-2019

"Are you able to share the config minus any public information?
By default you should be able to go from high to low (if no ACL saying otherwise). If you want to go from low to High you will explicitly need to allow the desired access via an ACL."

Answer: Here you go. Please check and let me know what I missed. Thank you

GRANT3779 · ‎07-07-2019

Are you saying you can ping from DMZ host to an inside host? But not from Inside to DMZ?
Is the ASA the GW for each of the different subnets?

Alan Ng'ethe · ‎07-15-2019

The default security rule only comes in when there is no access list bound to an interface. That does not apply to this case, since there is an inbound access list applied to the inside interface.

access-group inside_access_in in
 interface inside

The ACL tied to that access group looks like this:

access-list inside_access_in extended permit ip any any

In order to remove all doubt, you can either delete this ACL or insert a new line into it explicitly permitting ICMP.

access-list inside_access_in extended line 2 permit icmp any any echo

access list inside_access_in extended line 3 permit icmp any any echo-reply

The other ACLs in your configuration don't seem to be bound on any interface, assuming this is the comlplete configuration

access-list Production_access_in_1 extended permit ip 10.19.5.0 255.255.255.0 ob           ject Lab-PC
access-list Production_access_in extended permit ip object Prod any
access-list Dev_access_in extended permit ip 10.19.12.0 255.255.255.0 any

I don't see anything inside of the attached configuration that should allow the behavior that you report i.e. A device behind the lower security interface (dmz, 50) to successfully ping a device behind a higher security interface (inside, 100).

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.