Solved: there was an access list on

mahesh18 · ‎07-11-2016

Hi Everyone,

Here is setup

ASA---inside interface-10.68.49.x-----------------------------------Switch--------------------------------server

ASA inside interface has default route which points to switch.

From switch I can ping the server address 10.68.55.105

I can ping the ASA inside interface IP from switch.

But from ASA I can not ping it.

when from server we try ping it does notwork

ASA-3-313001: Denied ICMP type=8, code=0 from 10.68.55.105 on interface inside

Regards

MAhesh

John Forester · ‎07-12-2016

Hi Mahesh,

I believe your ping is reaching the firewall, because your log shows it is getting denied. That is a good sign that the ping is getting there.

Do you have an access-list built allowing the two networks to talk to each other?

"access-list MY-INSIDE-ACL extended permit ip object 10.68.49.x object 10.68.55.105"

and

Have you applied the access-list to your inside interface?

"access-group MY-INSIDE-ACL in interface inside"

Also, does your switch have IP Routing enabled? If the ping is getting to the firewall and you have a good access-list (running packet tracer can confirm this, as m.kafka suggests), perhaps the switch is not allowing the ping to return from the firewall?

View solution in original post

Pavel Trinos · ‎07-11-2016

You are probably missing a route to 10.68.55.x network on your ASA! To tell more, please post your sh run int and sh run route

m.kafka · ‎07-12-2016

Mahesh,

can you give a bit more details? Your setup looks unusual to me or I made wrong assumptions:

What's the subnet mask and IP addresses for all devices? (I assume /24 should be on all interfaces).

What's the output from packet tracer?

313001 is explained here http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771105 :

Error Message    %PIX|ASA-3-313001: Denied ICMP type=number, code=code from IP_address 
on interface interface_name

Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates this syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the security appliance cannot be detected on the network. This feature is also referred to as configurable proxy pinging.

Maybe give us a running config with all sensitive information removed (like public IPs, usernames, passwords, even encrypted etc.)

Rgds, MiKa

John Forester · ‎07-12-2016