Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6374
Views
45
Helpful
31
Replies

Deny inbound icmp src inside:IP dst interface:IP

Orcun Colakoglu
Level 1
Level 1

‎03-16-2022 04:15 AM - edited ‎03-17-2022 04:42 PM

Hello all,

I am having an issue with ASA5505 firewall setup. We have plenty of interfaces which works fine (likely same configurations, likely same ACL's as letting interface hosts reach required points)

 

I am able to ping 3 different devices from ASA with their interfaces but I am able only able to ping 2 of them from Core switch. Core switch has the route for ASA inside interface.

 

The log says "Deny inbound icmp src inside:core-switch dst interfaceM:IP-hostM(type 8, code 0)"

 

Any ideas as I am lost where this specific interfaceM doesn't work but others works as normal.

 

Thanks

31 Replies 31

MHM Cisco World
VIP
VIP

‎03-19-2022 05:16 PM

Your Post timeline,
1-Deny inbound icmp src inside:core-switch dst interfaceM:IP-hostM(type 8, code 0)

this issue of ACL that you solve it by add ACL in as below

 

2-After making some ACL changes, I am now gettin below error;

6 Mar 16 2022 07:45:27 302021 core-switch 0 IP-hostM 0 Teardown ICMP connection for faddr core-switch/0 gaddr IP-hostM/0 laddr IP-hostM/0 type 8 code 0

 

"Cisco ASA is a security device that provides the combined capabilities of a firewall, an antivirus, and an intrusion prevention system. It also facilitates virtual private network (VPN) connections. It helps to detect threats and stop attacks before they spread through the network.

Message: %ASA-6-302021: Teardown ICMP connection for faddr {faddr |icmp_seq_num} [(idfw_user)] gaddr {gaddr | cmp_type} laddr laddr [(idfw_user)] (981) type {type} code {code}.

Event 302021 is generated when an ICMP connection is removed in the fast-path when stateful ICMP had been enabled using the 'inspect icmp' command.

The message contains information on the:

  • IP address of the foreign, global and local host.
  • Name of the identity firewall user.
  • The user name associated with the host from where the connection had been initiated.
  • ICMP type and code.

How could you resolve this situation?

This event does not require any action."

 

SO After you add ACL and allow the traffic the FW pass traffic and add conn to table, and then message appear when this conn is timeout and delete from table.
so it normal.

0 Helpful

Aref Alsouqi
VIP
VIP

‎03-20-2022 05:01 AM

This could potentially be caused by an ACL entry being matched before any allow rule. Easiest way to get to the bottom of this is to use packet-tracer which will most likely show you the ACL that would be denying this traffic. For example if the source IP is 192.168.0.1 and the destination IP is 172.16.0.1 where the source ingress interface on the ASA is CORE then you can use a similar command to this:

packet-tracer input CORE icmp 192.168.0.1 8 0 172.16.0.1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card