ICMP Inspection

hadisharifi · ‎03-30-2011

Hi, I have configured the ASA to inspect ICMP but when trying to ping from DMZ to outside I don't get any echo replies.

Here is the config.

policy-map global_policy

class inspection_default

inspect icmp

nat (DMZ,outside) source dynamic DMZ-Subnet DMZ-NAT-POOL

access-list DMZ_access_in extended permit ip 10.0.22.0 255.255.255.0 any

The debug icmp trace on the ASA shows:

ICMP echo request from DMZ:10.0.22.51 to outside:124.x.x.x ID=512 seq=29440 len=32

ICMP echo request translating DMZ:10.0.22.51 to outside:203.14.x.x

And in the log from ASDM it shows:

Built outbound ICMP connection for faddr 124.x.x.x/0 gaddr 203.14.x.x/512 laddr 10.0.22.51/512

Teardown ICMP connection for faddr 124.x.x.x/0 gaddr 203.14.x.x/512 laddr 10.0.22.51/512

Thanks

Jennifer Halim · ‎03-30-2011

Is the outside host actually replying to the ECHO Request packet?

You might want to run packet capture on both inside and outside interfaces to see if ECHO Request is getting sent out, and ECHO Reply is coming in from the outside host.

hadisharifi · ‎03-30-2011

Hi, I have just turned on debug on the router that is connected to the outside interface and it is sending echo reply to the ASA.

ICMP: echo reply sent, src 203.14.x.x, dst 203.14.x.x, topology BASE, dscp 0 topoid 1

The destination ip is the tranlslated (gaddr).

Thanks

Jennifer Halim · ‎03-30-2011

OK, so the router is sending the reply, does the ASA receive the ECHO Reply?

Have you perform packet capture on both inside and outside interface to check where it's failing?