Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2211
Views
5
Helpful
6
Replies

Cisco ASA Issue

Go to solution
James Hoggard
Level 1
Level 1

‎10-10-2013 01:40 AM - edited ‎03-11-2019 07:49 PM

Hi Guys,

I have a cisco 5510 all working well with full internet access. My only problem is i'm unable to ping the internet from the ASA itself i can fron behind on the LAN. when checking the logs i see the following.

3Oct 10 201316:11:43
8.8.8.8


Denied ICMP type=0, code=0 from 8.8.8.8 on interface outside

I have checked my access list and cannot see any deny rules.

abit confused to how this can happen as i say i can ping the internet from the LAN no problem.

any help would be great.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to rizwanr74

‎10-10-2013 06:58 AM

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-10-2013 02:19 AM

Hi,

Doing the ICMP from the ASA itself follows different rules than the traffic going through the ASA

Check the output of this command

show run icmp

Check that there is no "deny" rules present.

Or you could simply try adding

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

Hope this helps

- Jouni

Go to solution
James Hoggard
Level 1
Level 1
In response to Jouni Forss

‎10-10-2013 03:12 AM

l# show run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit host **.**.**.** outside

icmp permit host 192.168.1.10 management

i then added in icmp permit any echo-reply outside

This resolved the issue striaght away.

By default is this feature turned off so i have to use this command all the time?

Thanks for you help anyway

quick response and straight to the point. Like it!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to James Hoggard

‎10-10-2013 03:33 AM

Hi,

Cisco documentation says

The default behavior of the adaptive security appliance is to allow all ICMP traffic to the adaptive security appliance interfaces.

I think without any "icmp" commands defined anyone can ICMP the "outside" interface. It might be that if you ICMP from the ASA directly that you have to allow the Echo Reply as you are the one generating the initial ICMP Echo and the ICMP Echo reply is coming towards the "outside" interface. So by default I think ASA replys to ICMP Echo but the Echo reply for the ICMP Echo that the ASA generated doesnt go through without an "icmp" configuration.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7

‎10-10-2013 06:47 AM

Hi James,

Have you applied icmp inspection in the global policy?

policy-map global_policy

class inspection_default 

  inspect icmp

Let me know please if this helps.

thanks

Rizwan Rafeek.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to rizwanr74

‎10-10-2013 06:58 AM

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

0 Helpful

Go to solution
James Hoggard
Level 1
Level 1
In response to Jouni Forss

‎10-10-2013 08:57 AM

Thanks you the update.

Another quick question on the cisco 5505 and 5520 what is the best way of web filtering? will an need any additional hardware?

Thanks

0 Helpful
Review Cisco Networking for a $25 gift card
Top