cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
0
Helpful
2
Replies

implicit deny for icmp on inside interface

I can't figure out how to overcome the implicit deny for icmp on the inside interface of an ASA firewall.

I am pinging from one internal host to another, both on the inside interface.

I've added explicit rules but it doesn't seem to matter.

Please help

asa(config)# packet-tracer input inside icmp 192.168.1.200 8 0 192.168.22.1 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.22.0    255.255.255.0   inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static any any destination static Net_192.168.0.0_16 Net_192.168.0.0_16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.22.1/0 to 192.168.22.1/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb1aaa70, priority=111, domain=permit, deny=true
        hits=3637, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=inside
             
Result:      
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

Veronika Klauzova
Cisco Employee
Cisco Employee

Hi Keith,

is another type of traffic permitted between same devices? If not please enable following:

same-security-traffic permit intra-interface

It permits communication between peers connected to the same interface.

Kind regards,

Veronika

View solution in original post

2 Replies 2

Veronika Klauzova
Cisco Employee
Cisco Employee

Hi Keith,

is another type of traffic permitted between same devices? If not please enable following:

same-security-traffic permit intra-interface

It permits communication between peers connected to the same interface.

Kind regards,

Veronika

Thanks that worked perfectly.

Review Cisco Networking for a $25 gift card