cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3408
Views
5
Helpful
10
Replies

inspecting ICMP on ASA

mestasew1
Level 1
Level 1

Hi Everyone,

I am in the process of setting up ASA for home lab . In the process have attempted to configure inspection of icmp traffic and was following a doucument I  got online. At a point,   when enter

                        class-map type inspect

command it does take icmp or show icmp as an option ( see attached screen capture).

Please share if is there is other way of doing achieving this or the problem ? 

 

 

10 Replies 10

Hi,
Try this:-

policy-map global_policy
class inspection_default
inspect icmp

or "fixup protocol icmp"

Hi RJI,

I thank you for your prompt response. I see now the command you provided helped to list icmp as one  of the default inspected  protocol. but I could not still get a ping response from a device connected to the outside interface. I can get a response from the outside device when ping  from the ASA itself but if clients connected to inside interface the ping will time out. 

 

1. The outside router is directly connected to the ASA with outside interface with the same ip address space

2. My inside interface is configured with different subnet with  dhcp enabled with gateway of the inside interface address

3. The route is configured to point to forward unknown network (0/0) traffic to  the outside router.  

 

So do you think this is ICMP issue with firewall or another problem ?

What network are you sourcing traffic from, the inside network? Are you natting the traffic on the outside interface?
If you are not natting, does the other device have a route back to that network?

Run packet-tracer and upload the output.

E.g. - packet-tracer input inside icmp <src ip> 8 0 <dst ip>

RJI,
Yes,I am sourcing the traffic from inside network. attempting to reach network connected on the outside interface of the Firewall . this outside network segment is assigned with private IP address. I am not using NAT at this point . However this device is a gateway for my internet.
It can be considered that the firewall is between two local area networks.
I will share the results of the packet tracer .

please see the results of the packet tracer. Can we say something from this ? I donot say any drop
XXXX# packet-tracer input inside icmp 192.168.7.68 8 0 192.168.0.253
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.253 using egress ifc outside:conisp1
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 78, packet dispatched to next module
Result:
output-interface: conisp1
output-status: up
output-line-status: up
Action: allow

Running a packet capture on Router would show if it receives packet or not. 

mkazam001
Level 3
Level 3

policy-map global_policy
 class inspection_default
   inspect icmp

 

regards, mk

please rate if helpful or solved :)

Thank you for your response. is there a way to verify the configuration other than pinging devices?

Check 1: On ASA, make sure you have ACL on Outside interface permitting ICMP from router towards inside.  

Check 2: reverse route to inside network on router, if NAT is not configured on the ASA. 

 or Configure NAT/PAT for inside network on ASA. 

Check 3: After above Check 1 & 2. run ping and do packet capture on outside interface of ASA and inside interface of router. 

 

if above doesn't resolve, can you past ASA and router config and packet capture of Outside interface ASA and Inside interface of Router?

 

Mk,

I thank you for your suggestion.

1 . there is no any ACL applied . the idea is to use the icmp inspection rule with out an acl.
2. NAT is not used and configured.

let me try a couple of suggested settings and will share results.
Review Cisco Networking for a $25 gift card