09-05-2016 05:47 AM - edited 03-12-2019 01:14 AM
After upgrade from ASA 9.4(2)6 to 9.4(3)8 ASA5515-X the icmp/echo was denied (%ASA-4-106023) to all servers from the Internet.
All our firewall-rules are based on the translated (inside) addresses.
After the update I had to change all the icmp/echo rules to allow traffic to the outside Internet-addresses to get icmp/echo working again.
Lucky enough all the TCP/UDP rules from the Internet-access-list with the normal inside addresses kept working so we didn't have a real production outage.
Anyone else with this experience? Why is this changed or could it be a bug?
Thanks and regards
Menno van Bennekom
09-05-2016 05:02 PM
Hi,
Was your
Regards,
Aditya
Please rate helpful posts and mark correct answers.
09-06-2016 01:06 AM
Hi Aditya,
There was no 'inspect icmp' before or after the upgrade, I compared both configs with 'show run all'. By the way this is about incoming traffic (from the Internet to the DMZ).
Maybe using inspect helps but then it's strange that this wasn't needed before..
Regards
Menno
09-30-2016 02:38 AM
This now has been solved in version 9.4(3)11:
CSCva68987 ASA drops ICMP request packets when ICMP inspection is disabled
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide