cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
1
Replies

FW log clarifications

Hi all Expert,

                      Can someone help me to understand the log output of my ASA.  First let me try to explain the dilemma. I am trying to reach the ASA interface in another DMZ. Let's say that I am in the inside interface and try to reach DMZ100(ping from inside 10.10.10.10 to DMZ100 AT 10.100.1.1). There is what the ASA shows and what I am trying to understand:

1. I have icmp enable in the default inspection rule

6 Nov 25 2010 10:20:56 302021 10.10.10.10 1 10.100.1.1 0 Teardown ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0

And below is the explanation given by the ASA when I hover my mouse over the output

ICMP connection is removed in the fast path when statefull ICMP packet is enabled using ICMP INSPECT COMMAND

ICMP is enable under inspect rule

2. icmp is disable in the inspection rule

policy-map global_policy
        class inspection_default
          no inspect icmp

6 Nov 25 2010 10:27:12 302020 10.10.10.10 1 10.100.1.1 0 Built inbound ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0


ICMP session is established in the fast-path when statefull ICMP packet is enabled using ICMP inspection command

Looking for an explanation for the statements in bold and underlign and both cases the host from inside keep sending request timed out. Ideas and comments to resolved the request time out to reply will be greatly appreciate.

Thanks a lot,

Jean Paul


1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

ASA does not support that. You can't ping the cross interface (ie: if you are connected to the inside interface of the ASA, you can't ping the DMZ interface of the ASA). This is not supported by design.

If you are connected to the ASA inside interface, you can only ping the ASA inside interface, and to ping the DMZ interface, you would need to be connected from the DMZ interface of the ASA.

The ICMP inspection is for ICMP traffic through the ASA, ie: a host from inside network tried to ping a host at dmz network.

Hope that helps.

Review Cisco Networking for a $25 gift card