- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 01:40 AM - edited 03-11-2019 07:49 PM
Hi Guys,
I have a cisco 5510 all working well with full internet access. My only problem is i'm unable to ping the internet from the ASA itself i can fron behind on the LAN. when checking the logs i see the following.
3 | Oct 10 2013 | 16:11:43 | 8.8.8.8 | Denied ICMP type=0, code=0 from 8.8.8.8 on interface outside |
I have checked my access list and cannot see any deny rules.
abit confused to how this can happen as i say i can ping the internet from the LAN no problem.
any help would be great.
Thanks.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 06:58 AM
Hi,
He already told it works with the interface specific "icmp" command though.
ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 02:19 AM
Hi,
Doing the ICMP from the ASA itself follows different rules than the traffic going through the ASA
Check the output of this command
show run icmp
Check that there is no "deny" rules present.
Or you could simply try adding
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
Hope this helps
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 03:12 AM
l# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit host **.**.**.** outside
icmp permit host 192.168.1.10 management
i then added in icmp permit any echo-reply outside
This resolved the issue striaght away.
By default is this feature turned off so i have to use this command all the time?
Thanks for you help anyway
quick response and straight to the point. Like it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 03:33 AM
Hi,
Cisco documentation says
The default behavior of the adaptive security appliance is to allow all ICMP traffic to the adaptive security appliance interfaces.
I think without any "icmp" commands defined anyone can ICMP the "outside" interface. It might be that if you ICMP from the ASA directly that you have to allow the Echo Reply as you are the one generating the initial ICMP Echo and the ICMP Echo reply is coming towards the "outside" interface. So by default I think ASA replys to ICMP Echo but the Echo reply for the ICMP Echo that the ASA generated doesnt go through without an "icmp" configuration.
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 06:47 AM
Hi James,
Have you applied icmp inspection in the global policy?
policy-map global_policy
class inspection_default
inspect icmp
Let me know please if this helps.
thanks
Rizwan Rafeek.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 06:58 AM
Hi,
He already told it works with the interface specific "icmp" command though.
ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2013 08:57 AM
Thanks you the update.
Another quick question on the cisco 5505 and 5520 what is the best way of web filtering? will an need any additional hardware?
Thanks
