Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3910
Views
47
Helpful
18
Replies

Issue with icmp-reply through ASA

Go to solution
robertramsey
Level 1
Level 1

‎11-21-2022 08:00 PM

Hello,

I'm having trouble getting ICMP replies from outside hosts to my inside hosts.  I've spent a few hours looking at other posts with the same issue.  Most posts suggest policy map inspection over ACL exceptions.  I've tried two methods of policy map inspection without success.  I can't figure out what I'm missing.  Here's what I've been working on:

ACL Method

access-list icmp-allow extended permit icmp any any

class-map icmp-class-map
match access-list icmp-allow
!
!
policy-map icmp-policy-map
class icmp-class-map
inspect icmp
!
service-policy icmp-policy-map interface inside

Inspection Method

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

Debug

With either of these applied, I see the following:

firewall# debug icmp trace
debug icmp trace enabled at level 1
firewall# ping googl.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.251.215.228, timeout is 2 seconds:
ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48558 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48558 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48559 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48559 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48560 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48560 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48561 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48561 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48562 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48562 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2

I can see that my inside host is being properly translated to my outside interface's IP (PAT).  It seems like the firewall isn't tracking my ICMP request...

My Inside hosts can access the Internet without issue, I'm just having trouble getting ICMP back through the ASA.  I'm using a 5506 running 9.16(4) code.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 03:37 PM

Hello MHM,

I just got home and tried implementing the policy-map using ASDM.  It worked.  The code I created by hand via CLI is EXACTLY the same as the code created by ASDM.  I don't have a good reason why the new code is working but it is.  Thanks for your help.

ASDM created code

class-map global-class
description Permit ICMP return traffic
match default-inspection-traffic
!
!
policy-map global-policy
description Permit ICMP return traffic
class global-class
inspect icmp
!
service-policy global-policy global

CLI created code

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

View solution in original post

18 Replies 18

Go to solution
Marius Gunnerud
VIP
VIP

‎11-21-2022 11:55 PM

Do you by chance have any ICMP access rules?  try issuing the command "show run icmp" and/or "show run | in icmp" and see if anything shows up

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
robertramsey
Level 1
Level 1
In response to Marius Gunnerud

‎11-22-2022 06:14 AM

Hello Marius,

Here's the info you asked for:

firewall# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
icmp permit any DMZ
icmp permit any inside

From what I've read, the icmp deny and permit statements above are for whether the ASA will respond to ICMP on its interfaces, not whether it'll pass & track ICMP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-22-2022 12:28 AM - edited ‎11-22-2022 02:00 AM

after config the inspection do you check show running ?

Note:-if you use PKT then you need to delete global_policy and add again with ICMP inspection. 
this limitation in PKT 

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 06:16 AM

Hello MHM,

I don't understand "use PKT".  I have removed and recreated the global_polcy policy-map a few times while switching back and forth between inspection methods.  Pulling out the policy-map code and re-applying it during trouble-shooting should have effectively done what you've suggested.

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-22-2022 06:23 AM

PKT packet-tracer.
if you do all above you mention, can you share 
show access-list 

0 Helpful

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 08:58 AM

Hello MHM,

I've tried maybe six times to post my config in my reply but the forum site keeps dropping my post.  I've attached my running config.  Note that I've removed all the policy-map icmp inspect code.

Preview file
10 KB

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-22-2022 10:22 AM - edited ‎11-22-2022 10:32 AM

I will run lab now and update you.

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 03:37 PM

Hello MHM,

I just got home and tried implementing the policy-map using ASDM.  It worked.  The code I created by hand via CLI is EXACTLY the same as the code created by ASDM.  I don't have a good reason why the new code is working but it is.  Thanks for your help.

ASDM created code

class-map global-class
description Permit ICMP return traffic
match default-inspection-traffic
!
!
policy-map global-policy
description Permit ICMP return traffic
class global-class
inspect icmp
!
service-policy global-policy global

CLI created code

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-22-2022 03:44 PM

Yes I do lab and also success to ping from host inside to host outside using same policy you share.

Anyway 

I So glad your issue solved.

0 Helpful

Go to solution
JaySL
Level 1
Level 1
In response to MHM Cisco World

‎09-05-2024 04:47 AM

This is very strange but it works. Do we have to do this again and again even in the new image versions?

Go to solution
robertramsey
Level 1
Level 1

‎11-22-2022 08:39 AM

I thought I'd add a network diagram too to help visualized the environment.

network.png

 

Go to solution
robertramsey
Level 1
Level 1

‎11-22-2022 10:09 AM

I'm adding ASDM screenshots of my interfaces, firewall rules, and nat configuration.  Sometimes it's easier to see the data in the GUI vs CLI.

Preview file
183 KB
Preview file
220 KB
Preview file
196 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-22-2022 03:36 PM

thanks for sharing. I apply same config 
BVI and inspect ICMP and all fine except
are you using inside interface as source of ping ??

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 03:54 PM

Hello MCM,

I'm pinging out from a Windows 10 host within my inside network.  That's the way I've tested throughout my trouble-shooting.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card