- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 04:26 AM - edited 03-11-2019 06:03 PM
Dear All,
Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2).
I tried to ping from 192.168.1.2 to 192.168.2.2 Failed.
But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8
So I checked the configuration shown as follow
<omitted>
interface ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
<omitted>
interface ethernet0/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
<omitted>
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
I searched a bit and found on some docs saying ICMP inspection should be enabled, so I added inspect icmp to global_policy:
policy-map global_policy
class inspection_default
inspect icmp
Then I tried ping again Failed.
After that, I added the following commands:
icmp permit any inside
icmp permit any inside2
PING still failed
Then I created two access lists and applied them on the interfaces respectively:
access-list ACL_INSIDE extended permit icmp any any
access-list ACL_INSIDE extended permit ip any any
access-list ACL_INSIDE2 extended permit icmp any any
access-list ACL_INSIDE2 extended permit ip any any
PING still failed. Can anyone help me? Thanks in advance.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 05:27 AM
Hi,
When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following
- same-security-traffic commands
- inspect icmp
What exactly are the devices 192.168.1.2 and 192.168.2.2?
Are they desktop workstations, laptops or router interfaces?
If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.
I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos
You could also configure a capture on the ASA
access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2
access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2
capture ICMP-CAP type raw-data access-list ICMP-CAP interface
Ping a few times and check "show capture ICMP-CAP"
And see if the ASA can see ICMP echo replys at all.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 05:27 AM
Hi,
When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following
- same-security-traffic commands
- inspect icmp
What exactly are the devices 192.168.1.2 and 192.168.2.2?
Are they desktop workstations, laptops or router interfaces?
If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.
I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos
You could also configure a capture on the ASA
access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2
access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2
capture ICMP-CAP type raw-data access-list ICMP-CAP interface
Ping a few times and check "show capture ICMP-CAP"
And see if the ASA can see ICMP echo replys at all.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 05:51 AM
Hi Jouni,
Thanks for your prompt response.
My first thought is as same as yours. Ping should work between two interfaces with the equal security-level when same-security-traffic and inspect icmp are configured. But strangely, it failed.
Before I added my explicit access lists, I found there are two implicit access rules on the interfaces looks like the following when using ASDM:
permit ip any any-lower-security-level
deny ip any any
192.168.1.2 is a desktop PC, and 192.168.2.2 is a network printer which should reply to ICMP echos.
And I will try your method to capture ICMP messages and get back to you.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2013 04:42 AM
Hi Jouni,
Today I did a experiment using GNS3. I managed to get PING working with just same-security-traffic and inspect icmp.
I went back to check my configuration on the real ASA5510, and I found the reason. It is caused by the NAT rules I configured.
After adding two NAT EXEMPT rules for 192.168.18.0/24 and 192.168.19.0/24 network, I finally got the PING working.
Cheers
