Re: Deny inbound icmp src inside:IP dst interface:IP - Page 2

Orcun Colakoglu · ‎03-16-2022

Hello all,

I am having an issue with ASA5505 firewall setup. We have plenty of interfaces which works fine (likely same configurations, likely same ACL's as letting interface hosts reach required points)

I am able to ping 3 different devices from ASA with their interfaces but I am able only able to ping 2 of them from Core switch. Core switch has the route for ASA inside interface.

The log says "Deny inbound icmp src inside:core-switch dst interfaceM:IP-hostM(type 8, code 0)"

Any ideas as I am lost where this specific interfaceM doesn't work but others works as normal.

Thanks

MHM Cisco World · ‎03-16-2022

Core Interface have lower security level 80 than the other port,
so there must ACL allow the ICMP from Core interface to other Interface <high Security 100>.
check this ACL if it allow Core->Host ICMP.

MHM Cisco World · ‎03-16-2022

packet-tracer input <Core> icmp <IP of Core> 8 0 <IP of Host> detailed
please do this packet-tracer and share output here, this give us hint were the packet is drop.

Orcun Colakoglu · ‎03-16-2022

Here you go;

packet-tracer input inside icmp CoreSwitch 8 0 hostM detailed

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: allow

As I don't have access to remote host, I believe something else is blocking it. May be a firewall, rule or software on the hostM.

MHM Cisco World · ‎03-17-2022

Hi friend
do same packet-tracer and check other interface that work,
under the NAT rule there is deny=true <- this may be issue
under the IP Option there is deny=true <-this may be issue
so we need to make check with other work interface.

Orcun Colakoglu · ‎03-17-2022

-- wrong --

MHM Cisco World · ‎03-17-2022

packet-tracer input Micros icmp <core> 0 0 <host> detailed

please repeat as before but this time change the type of ICMP

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2480836a0, priority=1, domain=permit, deny=false
hits=82343694, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000 <- this mask is wrong so the ACL with implicit rule is wrong so you need to add ACL line to permit the access of ICMP request.
input_ifc=inside, output_ifc=any

Orcun Colakoglu · ‎03-17-2022

I think you got a point.

Mac address belongs the hostM which can't reach to hostS.

Also I can't ping hostM from Core.

Here we go;

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M

Phase: 2
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc M

Result:
input-interface: M
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

and my ACL for hostM interface is as below;

access-list M_access_in extended permit ip object obj-M object obj-SRVTrusted
access-list M_access_in extended permit ip object obj-M object obj-PCIServers
access-list M_access_in extended deny ip object obj-M object obj-PrivateClassB
access-list M_access_in extended deny ip object obj-M object obj-PrivateClassC
access-list M_access_in extended permit ip object obj-M any

What should I implement?

MHM Cisco World · ‎03-17-2022

please do this packet-tracer to be more check please note the red color mention in command.
packet-tracer input INTERFACE icmp <IP-Source,reach by INTERFACE> 8 0 <IP-Destination> detailed

for example
Host X is direct connect to IN1
Host Y is direct connect to IN2
Host Z is direct connect to IN3

so we will use IN1 in packet-tracer
packet-tracer input IN1 icmp Host X 8 0 Host Y

Orcun Colakoglu · ‎03-17-2022

From which side?

hostM interface, hostM to hostS?

or

inside interface, CoreSwitch to hostM?

I did those on upper replies...

MHM Cisco World · ‎03-17-2022

Just to make sure because I don't know the subnet in each Interface or what is subnet reach vis interface.
packet-tracer with Micros 10.160.113.0/? one time you use 83 and other use 183,
the ACL use 10.160.113.64 255.255.255.192

the 83 is OK but 183 is out of subnet connect to Micros!!
that why I confuse.
I Hope this clear for you why we need to check again with exact IP and Interface.

Orcun Colakoglu · ‎03-17-2022

It was a typo error and looks likes this, the area you mentioned is now has correct IP addresses and GW's (%100)

packet-tracer input M icmp IP-hostM 8 0 IP-hostS detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group M_access_in in interface M
access-list M_access_in extended permit ip object obj-M object obj-S
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24ad998d0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7fd23dee4380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=GWIP-interfaceM, mask=255.255.255.192, port=0, tag=any
dst ip/id=GWIP-interfaceS, mask=255.255.255.224, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=9864828, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2482180f0, priority=0, domain=inspect-ip-options, deny=true
hits=889921, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a243f20, priority=70, domain=inspect-icmp, deny=false
hits=137349, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a255950, priority=70, domain=inspect-icmp-error, deny=false
hits=137349, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=9864830, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd24814f400, priority=0, domain=inspect-ip-options, deny=true
hits=1291371, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=SRVTrusted, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10530252, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0050.5691.4269 hits 67914 reference 14

Result:
input-interface: M
input-status: up
input-line-status: up
output-interface: S
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎03-17-2022

packet-tracer input Core icmp IP-Core 8 0 IP-hostM detailed

packet-tracer input Core icmp IP-COre 8 0 IP-hostS detailed

since you mention Core->HostS is allow
Core->HostM is drop

finally only this,

Orcun Colakoglu · ‎03-18-2022

packet-tracer input inside icmp IP-CoreSwitch 8 0 IP-hostM detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostM using egress ifc M

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object obj-inside object obj-M
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a7b2d40, priority=13, domain=permit, deny=false
hits=8, user_data=0x7fd23dee09c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=network-inside, mask=255.255.255.224, port=0, tag=any
dst ip/id=network-hostM, mask=255.255.255.192, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12619505, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24808ace0, priority=0, domain=inspect-ip-options, deny=true
hits=4763603, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a23f4a0, priority=70, domain=inspect-icmp, deny=false
hits=261411, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a250ed0, priority=70, domain=inspect-icmp-error, deny=false
hits=261411, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12619507, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2482180f0, priority=0, domain=inspect-ip-options, deny=true
hits=1203810, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=M, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13796669, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc M

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 00a0.a426.2284 hits 0 reference 8

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: M
output-status: up
output-line-status: up
Action: allow

packet-tracer input inside icmp IP-CoreSwitch 8 0 hostS detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop hostS using egress ifc S

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2485ea6c0, priority=13, domain=permit, deny=false
hits=4077610, user_data=0x7fd23dee5d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12620098, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24808ace0, priority=0, domain=inspect-ip-options, deny=true
hits=4764989, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a23f4a0, priority=70, domain=inspect-icmp, deny=false
hits=261430, user_data=0x7fd24a23dd40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd24a250ed0, priority=70, domain=inspect-icmp-error, deny=false
hits=261430, user_data=0x7fd24a24f770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd2473df2a0, priority=0, domain=nat-per-session, deny=true
hits=12620100, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd24814f400, priority=0, domain=inspect-ip-options, deny=true
hits=1807908, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=S, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13798335, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP-hostS using egress ifc S

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0050.5691.4269 hits 12447 reference 10

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: S
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎03-18-2022

I hard try to find what is reason the ICMP drop but still not find any reason,

we can use following command to see drop reason

ciscoasa# show asp drop

1-check the count for each drop reason
2-do ping "not packet-tracer"
3- check the count for each drop reason, which one is increase after pin?
I think it MAC address failed!! why because the mac address in last phase of packet-tracer is miss "NOT HIT"

and I think this because the subnet mask config of interface is different than the subnet direct connect to it.
Note:-please confirm it not BVI.

Good Luck Friend.

Orcun Colakoglu · ‎03-18-2022

No it is not BVI and thanks for all your inputs, spent time and help.

I can't track asp drop because information increments to fast but when I check from ASDM the error is as below;

19 Mar 16 2022 02:35:27 302021 core-switch 0 IP-hostM 0 Teardown ICMP connection for faddr core-switch/0 gaddr IP-hostM/0 laddr IP-hostM/0 type 8 code 0