03-16-2022 04:15 AM - edited 03-17-2022 04:42 PM
Hello all,
I am having an issue with ASA5505 firewall setup. We have plenty of interfaces which works fine (likely same configurations, likely same ACL's as letting interface hosts reach required points)
I am able to ping 3 different devices from ASA with their interfaces but I am able only able to ping 2 of them from Core switch. Core switch has the route for ASA inside interface.
The log says "Deny inbound icmp src inside:core-switch dst interfaceM:IP-hostM(type 8, code 0)"
Any ideas as I am lost where this specific interfaceM doesn't work but others works as normal.
Thanks
03-16-2022 10:53 AM
Core Interface have lower security level 80 than the other port,
so there must ACL allow the ICMP from Core interface to other Interface <high Security 100>.
check this ACL if it allow Core->Host ICMP.
03-16-2022 01:13 PM - edited 03-16-2022 01:13 PM
packet-tracer input <Core> icmp <IP of Core> 8 0 <IP of Host> detailed
please do this packet-tracer and share output here, this give us hint were the packet is drop.
03-16-2022 02:04 PM - edited 03-17-2022 04:40 PM
Here you go;
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: allow
As I don't have access to remote host, I believe something else is blocking it. May be a firewall, rule or software on the hostM.
03-17-2022 02:07 AM - edited 03-17-2022 02:10 AM
Hi friend
do same packet-tracer and check other interface that work,
under the NAT rule there is deny=true <- this may be issue
under the IP Option there is deny=true <-this may be issue
so we need to make check with other work interface.
03-17-2022 02:57 AM - edited 03-17-2022 04:37 PM
-- wrong --
03-17-2022 09:47 AM - edited 03-17-2022 10:46 AM
packet-tracer input Micros icmp <core> 0 0 <host> detailed
please repeat as before but this time change the type of ICMP
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2480836a0, priority=1, domain=permit, deny=false
hits=82343694, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000 <- this mask is wrong so the ACL with implicit rule is wrong so you need to add ACL line to permit the access of ICMP request.
input_ifc=inside, output_ifc=any
03-17-2022 02:36 PM - edited 03-17-2022 04:37 PM
I think you got a point.
Mac address belongs the hostM which can't reach to hostS.
Also I can't ping hostM from Core.
Here we go;
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M
Phase: 2
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc M
Result:
input-interface: M
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
and my ACL for hostM interface is as below;
access-list M_access_in extended permit ip object obj-M object obj-SRVTrusted
access-list M_access_in extended permit ip object obj-M object obj-PCIServers
access-list M_access_in extended deny ip object obj-M object obj-PrivateClassB
access-list M_access_in extended deny ip object obj-M object obj-PrivateClassC
access-list M_access_in extended permit ip object obj-M any
What should I implement?
03-17-2022 03:01 PM - edited 03-17-2022 03:04 PM
please do this packet-tracer to be more check please note the red color mention in command.
packet-tracer input INTERFACE icmp <IP-Source,reach by INTERFACE> 8 0 <IP-Destination> detailed
for example
Host X is direct connect to IN1
Host Y is direct connect to IN2
Host Z is direct connect to IN3
so we will use IN1 in packet-tracer
packet-tracer input IN1 icmp Host X 8 0 Host Y
03-17-2022 03:05 PM - edited 03-17-2022 03:11 PM
From which side?
hostM interface, hostM to hostS?
or
inside interface, CoreSwitch to hostM?
I did those on upper replies...
03-17-2022 03:51 PM
Just to make sure because I don't know the subnet in each Interface or what is subnet reach vis interface.
packet-tracer with Micros 10.160.113.0/? one time you use 83 and other use 183,
the ACL use 10.160.113.64 255.255.255.192
the 83 is OK but 183 is out of subnet connect to Micros!!
that why I confuse.
I Hope this clear for you why we need to check again with exact IP and Interface.
03-17-2022 04:48 PM - edited 03-17-2022 04:50 PM
It was a typo error and looks likes this, the area you mentioned is now has correct IP addresses and GW's (%100)
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group M_access_in in interface M
access-list M_access_in extended permit ip object obj-M object obj-S
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24ad998d0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7fd23dee4380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=GWIP-interfaceM, mask=255.255.255.192, port=0, tag=any
dst ip/id=GWIP-interfaceS, mask=255.255.255.224, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=9864828, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2482180f0, priority=0, domain=inspect-ip-options, deny=true
hits=889921, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a243f20, priority=70, domain=inspect-icmp, deny=false
hits=137349, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a255950, priority=70, domain=inspect-icmp-error, deny=false
hits=137349, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=9864830, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd24814f400, priority=0, domain=inspect-ip-options, deny=true
hits=1291371, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=SRVTrusted, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10530252, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S
Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0050.5691.4269 hits 67914 reference 14
Result:
input-interface: M
input-status: up
input-line-status: up
output-interface: S
output-status: up
output-line-status: up
Action: allow
03-17-2022 05:18 PM - edited 03-17-2022 05:19 PM
packet-tracer input Core icmp IP-Core 8 0 IP-hostM detailed
packet-tracer input Core icmp IP-COre 8 0 IP-hostS detailed
since you mention Core->HostS is allow
Core->HostM is drop
finally only this,
03-18-2022 03:20 AM - edited 03-18-2022 03:21 AM
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object obj-inside object obj-M
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a7b2d40, priority=13, domain=permit, deny=false
hits=8, user_data=0x7fd23dee09c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=network-inside, mask=255.255.255.224, port=0, tag=any
dst ip/id=network-hostM, mask=255.255.255.192, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12619505, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24808ace0, priority=0, domain=inspect-ip-options, deny=true
hits=4763603, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a23f4a0, priority=70, domain=inspect-icmp, deny=false
hits=261411, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a250ed0, priority=70, domain=inspect-icmp-error, deny=false
hits=261411, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12619507, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2482180f0, priority=0, domain=inspect-ip-options, deny=true
hits=1203810, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13796669, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc M
Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 00a0.a426.2284 hits 0 reference 8
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: allow
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop hostS using egress ifc S
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2485ea6c0, priority=13, domain=permit, deny=false
hits=4077610, user_data=0x7fd23dee5d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12620098, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24808ace0, priority=0, domain=inspect-ip-options, deny=true
hits=4764989, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a23f4a0, priority=70, domain=inspect-icmp, deny=false
hits=261430, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a250ed0, priority=70, domain=inspect-icmp-error, deny=false
hits=261430, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12620100, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd24814f400, priority=0, domain=inspect-ip-options, deny=true
hits=1807908, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=S, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13798335, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S
Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0050.5691.4269 hits 12447 reference 10
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: S
output-status: up
output-line-status: up
Action: allow
03-18-2022 02:44 PM
I hard try to find what is reason the ICMP drop but still not find any reason,
we can use following command to see drop reason
ciscoasa# show asp drop
1-check the count for each drop reason
2-do ping "not packet-tracer"
3- check the count for each drop reason, which one is increase after pin?
I think it MAC address failed!! why because the mac address in last phase of packet-tracer is miss "NOT HIT"
and I think this because the subnet mask config of interface is different than the subnet direct connect to it.
Note:-please confirm it not BVI.
Good Luck Friend.
03-18-2022 04:36 PM
No it is not BVI and thanks for all your inputs, spent time and help.
I can't track asp drop because information increments to fast but when I check from ASDM the error is as below;
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide