Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3705
Views
47
Helpful
18
Replies

Issue with icmp-reply through ASA

Go to solution
robertramsey
Level 1
Level 1

‎11-21-2022 08:00 PM

Hello,

I'm having trouble getting ICMP replies from outside hosts to my inside hosts.  I've spent a few hours looking at other posts with the same issue.  Most posts suggest policy map inspection over ACL exceptions.  I've tried two methods of policy map inspection without success.  I can't figure out what I'm missing.  Here's what I've been working on:

ACL Method

access-list icmp-allow extended permit icmp any any

class-map icmp-class-map
match access-list icmp-allow
!
!
policy-map icmp-policy-map
class icmp-class-map
inspect icmp
!
service-policy icmp-policy-map interface inside

Inspection Method

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global

Debug

With either of these applied, I see the following:

firewall# debug icmp trace
debug icmp trace enabled at level 1
firewall# ping googl.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.251.215.228, timeout is 2 seconds:
ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48558 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48558 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48559 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48559 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48560 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48560 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48561 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48561 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2
?ICMP echo request from 65.129.24.126 to 142.251.215.228 ID=48562 seq=4567 len=72
ICMP echo reply from 142.251.215.228 to 65.129.24.126 ID=48562 seq=4567 len=68
Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2

I can see that my inside host is being properly translated to my outside interface's IP (PAT).  It seems like the firewall isn't tracking my ICMP request...

My Inside hosts can access the Internet without issue, I'm just having trouble getting ICMP back through the ASA.  I'm using a 5506 running 9.16(4) code.

Thanks in advance!

18 Replies 18

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-22-2022 04:10 PM - edited ‎11-22-2022 04:11 PM

you test windows but the IP use for windows is it same as ASA inside interface?
why I ask you that, because when I run lab I run debug icmp and ping from inside interface and I get exactly same as your issue 

Denied ICMP type = 0, code = 0 from 142.251.215.228on interface 2

 

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 04:21 PM

Hell MHM,

I'm testing that now...  When I ping google.com from the ASA it fails, like before, but from an inside PC it works...  Looking at my original post, I tested by pinging from the ASA and it failed.  I want to believe I always tested using my PC but maybe not...  So,  different question then, why can't I get ICMP reply when pinging from the ASA?  Nice catch by the way!

From ASA

firewall# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.251.211.238, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
firewall#

From PC

C:\Users\ramse>ping google.com

Pinging google.com [142.251.211.238] with 32 bytes of data:
Reply from 142.251.211.238: bytes=32 time=13ms TTL=118
Reply from 142.251.211.238: bytes=32 time=13ms TTL=118
Reply from 142.251.211.238: bytes=32 time=13ms TTL=118
Reply from 142.251.211.238: bytes=32 time=13ms TTL=118

Ping statistics for 142.251.211.238:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 13ms, Average = 13ms

C:\Users\ramse>

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to robertramsey

‎11-23-2022 05:48 AM

ASA by default not accept the ping toward it interface. 
I make lab yesterday and I success make interface accept ping toward it BUT I dont recommend change the default behave of ASA. 
what I add is one command 
icmp permit host < > echo-reply <IN interface>

Go to solution
robertramsey
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2022 06:46 AM

Hello MHM,

I've been thinking about ICMP flow when initiated from the ASA.  Most Cisco devices, probably the ASA too, will use the nearest interface to the destination when originating traffic, including ICMP requests.  Therefor, the ASA is probably sourcing the ICMP request from the outside interface but it's not configured to track that interface's ICMP traffic.  Moreover, I have an explicit ICMP deny statement configured for the outside interface, which is the destination of the ICMP reply.

I think I just got confused when I switched from my host to the ASA when performing my ping tests.  It's been super educational and interesting but a journey started by an inconsistent test method.

Thanks for all your help.  You really have been an ambassador of good will throughout this process. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card