Re: Cisco ASA - ICMP Replies failing - LAN TO LAN

Instate · ‎11-14-2021

I have a perculiar problem with Cisco ASA that I have been trying to resolve for many days but I cannot even find the root cause. I have a network as seen in the diagram below. I cannot establish pings between these two LAN segments.

See output of the important parts of the Firewall Config realted to the configuration/operation of ICMP.

interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address X.X.X.X 255.255.255.240

interface GigabitEthernet1/2.100
vlan 100
nameif LAN2
security-level 100
ip address 10.136.14.1 255.255.254.0

interface GigabitEthernet1/2.804
vlan 804
nameif LAN
security-level 90
ip address 10.0.10.241 255.255.255.0

object network PC
host 10.136.14.15

object service APP_SERVER_5050
service tcp source eq 5050
!
!
!
!
access-list LAN1_access_in extended permit ip 10.0.10.0 255.255.255.0 host 10.136.14.15 log
access-list LAN1_access_in extended permit ip 10.0.10.0 255.255.255.0 host 10.136.14.10 log
!
!
!
nat (LAN2,LAN1) source static PC interface service any APP_SERVER_5050
!
!
access-group LAN1_access_in in interface LAN1
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
!
!
!
!
!
class inspection_default
inspect dns preset_dns_map
inspect icmp
!
service-policy global_policy global

The Firewall can reach the remote server. However, this is what happens on the devices on LAN1

Firewall# ping 10.0.10.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Server1:~$ ping 10.0.10.13
PING 10.0.10.13 (10.0.10.13) 56(84) bytes of data.
^C
--- 10.0.10.13 ping statistics ---
54 packets transmitted, 0 received, 100% packet loss, time 192ms

LAPTOP# ping 10.0.10.13
PING 10.0.10.13 (10.0.10.13) 56(84) bytes of data.
^C
--- 10.0.10.13 ping statistics ---
36 packets transmitted, 0 received, 100% packet loss, time 35000ms

But we know ICMP works because when we ping a remote device on the internet, we get a reply.

LAPTOP# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=2.41 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=2.48 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=2.40 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=2.39 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=118 time=2.43 ms

Server1:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=1.83 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=1.69 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=1.84 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=1.57 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=118 time=1.65 ms

What is it we are missing and how can we make this work? We have replicated this with other firewall brands and we get ICMP replies on the LAN but not with Cisco ASA.

Kindly assist/help/advise.

Thanks.

Marvin Rhoads · ‎11-14-2021

Is there any ACL applied to the LAN2 interface?

What does packet-tracer tell you? i.e.,

packet-tracer input LAN2 icmp 10.136.14.15 8 0 10.0.10.13

Instate · ‎11-15-2021

Hi Marvin,

Thank you for your reply. Yes there are access lists on that interface.

And this is the output of that command.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.0.10.13 using egress ifc LAN2

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1843010, packet dispatched to next module

Phase: 12
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.0.10.13 using egress ifc LAN2

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.0.10.13 on interface LAN2
Adjacency :Active
MAC address 000c.2929.36d9 hits 0 reference 2

Result:
input-interface: LAN2
input-status: up
input-line-status: up
output-interface: LAN1
output-status: up
output-line-status: up
Action: allow

Thanks

Marvin Rhoads · ‎11-15-2021

So the ASA logic appears to be allowing the traffic though. Have you verified that the icmp echo requests are not arriving at the server (i.e., Wireshark packet capture on the server)?

Instate · ‎11-15-2021

Thank you Marvin,

No I have not verified. I am not at the location and we cannot be for a while but as you can see, it is on the server and the laptop - both not receiving icmp echo replies. Yes Wireshark might show something but what are the chances that it will be happening on both devices?

We have this exact topology on another sites but with Fortinet Firewalls, and we have no problems. Yet we have 4 locations with Cisco ASA and this is happening on all 4 of them - laptop and server of same build in all locations.

Surely there must be something common on the ASA.