Hi All,
I administer a hub and spoke network. Core ASA 5520 in data center, branch ASA 5505's in the field. IPSec VPN tunnel as WAN between the two. I block ICMP on all branch ASA 5505's for outside_access_in unless the source of the ICMP is in my trusted group.
object-group network Permitted_Public_Ping
network-object host 12.x.xxx.218
network-object host 12.x.xxx.20
network-object host 50.xxx.xx.190
network-object host 50.xxx.xx.239
network-object host 109.xxx.xxx.164
network-object host 109.xxx.xxx.165
network-object host 109.xxx.xxx.171
network-object host 71.xxx.xx234
network-object host 71.xxx.xx.235
network-object host 71.xxx.xx.236
network-object host 71.xxx.xx.237
network-object host 71.xxx.xx.238
access-list outside_access_in extended permit icmp object-group Permitted_Public_Ping any echo
access-list outside_access_in extended permit icmp object-group Permitted_Public_Ping any echo-reply
access-list outside_access_in extended permit icmp object-group Permitted_Public_Ping any unreachable
access-list outside_access_in extended permit icmp object-group Permitted_Public_Ping any time-exceeded
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended deny ip any6 any6
access-list outside_cryptomap_100 extended permit ip 192.168.156.0 255.255.255.0 any4
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit host 12.x.xxx.218 echo outside
icmp permit host 12.x.xxx.20 echo outside
icmp permit host 50.xxx.xx.190 echo outside
icmp permit host 50.xxx.xx.239 echo outside
icmp permit host 71.xxx.xx.234 echo outside
icmp permit host 71.xxx.xx.235 echo outside
icmp permit host 71.xxx.xx.236 echo outside
icmp permit host 71.xxx.xx.237 echo outside
icmp permit host 71.xxx.xx.238 echo outside
icmp permit host 109.xxx.xxx.164 echo outside
icmp permit host 109.xxx.xxx.165 echo outside
icmp permit host 109.xxx.xxx.171 echo outside
icmp deny any outside
I have a branch site that is trying to scan a document and email it to a recipient. To do that, the scanner needs to call back to the data center SMTP server. However, according to the ASA logs, what is happening is "PMTU-D packet 1420 bytes greater than effective mtu 1326." I did some research on that and basically what happened was the packet was too large, so the frame was discarded and an ICMP message was sent back to the host, notifying that the packets need to be smaller. However, those ICMP messages never got back to the branch site, so it kept sending large packets and not working.
I resolved this by removing the outside_access_in statements above and replaced it with a single line: access-list outside_access_in extended permit icmp any any, and it worked immediately. All well and good, but it doesn't make sense to me. Isn't MTU Path Discovery part of the "unreachables " suite in ICMP? If so, I am clearly permitting that in the original ACL above, so I don't know why it is getting blocked. I've also had this ACL in place for 7 months at 120+ sites, and no issues anywhere until today. Lastly, the site talks to the data center where the SMTP server resides over the outside_cryptomap_100 ACL, which permits everything in the IP suite from branch to data center. So then, why does the outside_access_in ACL have anything to do with the resolution?