10-07-2010 01:06 PM - edited 03-11-2019 11:51 AM
Attempting to allow ICMP to my outside interface from anywher...although I seem to be unable to do-so.
Getting this in the logs:
3 Oct 07 2010 13:03:45 IKE Initiator unable to find policy: Intf outside, Src: 99.55.44.86, Dst: 73.82.134.12
3 Oct 07 2010 13:03:45 73.82.134.12 Denied ICMP type=8, code=0 from 73.82.134.12 on interface outside
I have 'icmp permit any outside' in my config as well.
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(4)
Can someone help me out?
10-07-2010 01:09 PM
Make sure you have the ACL open and that your natting is correct. You would need a static nat for 73.82.134.12 on the outside or no nat at all.
Also make sure the outside doesn't have the same security level than the inside.
I hope it helps.
PK
10-07-2010 01:40 PM
Which ACL? There aren't any applied to the outside interface at this point. Outside Security: 0 Inside Security: 100.
Why would I need NAT on the oustide for the source IP if I was just pinging it? Like I said this is 1 out of 3 ASA's giving me problems. The others have NAT statements but not explicitly for the source IP. The packets get there but are denied for whatever reason. On the working ASA's I can't see any difference in regards to the outside interface and pinging.
10-07-2010 01:09 PM
Hi,
Have you enabled the policy-map to inspect icmp?
policy-map global_policy
class inspection_default
inspect icmp
10-07-2010 01:28 PM
No. But I haven't done that on my other 2 ASA's and I am able to ping external (outside) interface without fail on those 2.
Firewall in question:
FW-A# show run .....
policy-map global_policy
description tcp-traffic
class tcp-traffic
set connection advanced-options allow_76-78
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class ttl-class
set connection decrement-ttl
10-07-2010 01:45 PM
inspect icmp is only for "THROUGH" the box icmp and not "TO" the box icmp.
You do not need to enable inspect icmp just to be able to ping the outside interface IP.You don't even need "icmp permit any outside" by default the ASA allows and responds to pings.
Is 73.82.134.12 this the outside interface IP address?
If so the syslog is misleading. type=8, code=0 is an ICMP request - no doubt.
Are you trying ping the outside interface IP address from a host on the inside?
If so you cannot do that. You can only manage/ping the interface that is close to the host/client.
-KS
10-07-2010 01:51 PM
Thanks for clearing the 'through' and 'to' icmp requests. I wasn't clear on whether I actually needed those or not.
73.82.134.12 is my public IP...99.55.44.86 is public IP of ASA in colo. I am trying to ping from my office to the outside interface of my ASA in a colo, same ASA I have s2s tunnel with (shouldnt matter).
Just for shits and gig's I added my public IP to manage via SSH and I get this in the logs:
6 Oct 07 2010 13:49:12 73.82.134.12 4586 99.55.44.86 22 Deny TCP (no connection) from 73.82.134.12/4586 to 99.55.44.86/22 flags RST ACK on interface outside
10-07-2010 08:40 PM
I believe you may need "management-access outisde" or "management-access inside" depending on which interface you like to ping and manage via ssh.
-KS
10-08-2010 11:14 AM
Issue turned out being dynamic crypto map misconfigured....
It was matching a map that had a permit ip any any in it which caused the ASA to attempt to encrypt all the traffic it saw, even if it was a ping or ssh attempt from outside.
10-07-2010 06:22 PM
Hi,
Try look this document "http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml".
First IKE message can indicate some problem with tunnel, although "icmp permit any outside" should be work if don't have any special setup police.
Hope help you
Robertson
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide