02-27-2014 12:48 PM - edited 03-11-2019 08:51 PM
I can't figure out how to overcome the implicit deny for icmp on the inside interface of an ASA firewall.
I am pinging from one internal host to another, both on the inside interface.
I've added explicit rules but it doesn't seem to matter.
Please help
asa(config)# packet-tracer input inside icmp 192.168.1.200 8 0 192.168.22.1 de$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.22.0    255.255.255.0   inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static any any destination static Net_192.168.0.0_16 Net_192.168.0.0_16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.22.1/0 to 192.168.22.1/0
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside
              
Phase: 4      
Type: ACCESS-LIST
Subtype:      
Result: DROP  
Config:       
Implicit Rule 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb1aaa70, priority=111, domain=permit, deny=true
        hits=3637, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=inside
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
 
					
				
		
02-27-2014 01:14 PM
Hi Keith,
is another type of traffic permitted between same devices? If not please enable following:
same-security-traffic permit intra-interface
It permits communication between peers connected to the same interface.
Kind regards,
Veronika
 
					
				
		
02-27-2014 01:14 PM
Hi Keith,
is another type of traffic permitted between same devices? If not please enable following:
same-security-traffic permit intra-interface
It permits communication between peers connected to the same interface.
Kind regards,
Veronika
02-27-2014 04:16 PM
Thanks that worked perfectly.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide