Solved: Need fluid traffic between two same security level interfaces - Page 2

Eduardo Guerra · ‎01-09-2014

Dear Sirs I am configuring an ASA5510 before implementing it on my network. I have 1 ISP for internet connected to Outside Interface, a DMZ Interfaces and 2 inside interfaces. One of these inside interfaces is Outside1 will be connected to a router that will have Fiber and Antenas for communicating with our small offices. I need fluid traffic between Inside an Outside1. I tried using some advices but still not working. Here's my configuration. Can you help me?

: Saved

:

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address X.X.X.X y.y.y.y

!

interface Ethernet0/1

nameif Outside1

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 10

ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

nameif Inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host x.x.x..163 eq smtp

access-list 100 extended permit udp any host x.x.x.163 eq domain

access-list 100 extended permit tcp any host x.x.x.163 eq https

access-list 100 extended permit tcp any host x.x.x.163 eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Outside1 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.100.0 255.255.255.0 Outside1

icmp permit 192.168.2.0 255.255.255.0 Inside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,DMZ) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (DMZ,Outside) x.x.x.163 172.16.31.0 netmask 255.255.255.255

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

access-group 100 in interface Outside

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 x.x.x.161 1

route Outside1 172.1.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b5e4725e47eea02221510b282e9e5843

: end

Thanks in advanced

Eduardo Guerra

Collin Clark · ‎01-17-2014

So the satelitte offices connect to Inside to access ERP, voice, video, etc and you do not want them to NAT? They also need to get out to the internet through your firewall for email correct?

Eduardo Guerra · ‎01-17-2014

Yes, you are right

Also email must be able for LAN users, and branch offices users. I have communication between Inside and DMZ (Email server is on DMZ) so LAN users can connect to email.

EG

Collin Clark · ‎01-17-2014

Try-

static (Inside,outside1) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (outside1,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (outside1,DMZ) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

Eduardo Guerra · ‎01-18-2014

Dear Collin, those lines are already inserted in the conf. I cannot reach anyway network 172.1.x.x even if i have static route to that network (i have point that network 172.1.x.x is connected to a router that is connected to interface Outside1). Do i have to insert an ACL or what should i do to reach that network

EG

Collin Clark · ‎01-18-2014

From the router in the diagram can you access anything in the Inside or DMZ?

Eduardo Guerra · ‎01-20-2014

Collin, I tried to connect to a computer within the network connected to Inside but cannot communicate didn't try to DMZ but i will try

EG

Eduardo Guerra · ‎01-21-2014

Any suggestions?

Collin Clark · ‎01-22-2014

Are you positive that all the routing is in place?

On the ASA debug ICMP

logging enable

logging buffered 7

debug icmp trace

Then from the router or beyond, try and ping a resource in the ASA LAN side. The ping may fail, but do a show logg on the ASA and you should see some icmp debug traffic. Please post that debug.

Eduardo Guerra · ‎01-23-2014

Collin, answering to this Q:

"From the router in the diagram can you access anything in the Inside or DMZ?", posted by you. I can access to Inside from the router.

I will try

ICMP debug as you adviced

EG

Eduardo Guerra · ‎01-27-2014

Dear Collin, this is the logg:

%ASA-4-411001: Line protocol on Interface Ethernet0/3, changed state to up

%ASA-4-411001: Line protocol on Interface Inside, changed state to up

%ASA-7-711002: Task ran for 18 msec, Process = NIC status poll, PC = 88e0c93, Tr

aceback =

%ASA-7-711002: Task ran for 18 msec, Process = NIC status poll, PC = 88e0c93, Tr

aceback = 0x088E0C93 0x08062413

%ASA-6-302010: 0 in use, 25 most used

%ASA-5-111007: Begin configuration: console reading from terminal

%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.

%ASA-5-111008: User 'enable_15' executed the 'logging enable' command.

%ASA-5-111008: User 'enable_15' executed the 'logging buffered 7' command.

%ASA-5-111008: User 'enable_15' executed the 'debug icmp trace' command.

%ASA-5-111005: console end configuration: OK

%ASA-5-111001: Begin configuration: console writing to memory

%ASA-5-111004: console end configuration: OK

%ASA-5-111008: User 'enable_15' executed the 'write' command.

%ASA-7-111009: User 'enable_15' executed cmd: show running-config

ASAFCHFW# ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=1792 len

=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=1792 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2048 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2048 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2304 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2304 len=32

ICMP echo request from 192.168.0.20 to 192.168.0.1 ID=768 seq=2560 len=32

ICMP echo reply from 192.168.0.1 to 192.168.0.20 ID=768 seq=2560 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=2

816 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=281

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

072 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=307

2 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

328 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=332

8 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

584 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=358

4 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=3

840 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=384

0 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

096 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=409

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

352 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=435

2 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

608 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=460

8 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=4

864 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=486

4 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

120 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=512

0 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

376 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=537

6 len=32

ICMP echo request from Inside:192.168.0.20 to Outside1:192.168.2.22 ID=768 seq=5

632 len=32

ICMP echo reply from Outside1:192.168.2.22 to Inside:192.168.0.20 ID=768 seq=563

2 len=32

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=13568 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=14080 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=14848 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=15360 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=15872 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=16384 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=17152 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=17920 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=18688 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=19456 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=20224 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=20992 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=21760 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=22528 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=23296 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=24064 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=24832 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=25600 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=26368 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=27136 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=27904 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=28672 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=29440 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=30208 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=30976 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=31744 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=32512 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=33280 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=34048 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=34816 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=35584 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=36352 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=37120 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=37888 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=38656 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=39424 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=40192 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=40960 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=41728 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=42496 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=43264 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=44032 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=44800 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

Any suggestions?

Eduardo Guerra · ‎01-27-2014

So sorry, after show logg, this result

ASAFCHFW# ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=4359 len=3

2

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

sh logg

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 2470 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 456484 messages logged

192.168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

<--- More --->ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=5127 l

en=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=5639 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=6663 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=7175 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=7943 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

%tion 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

%ASA-6-302020: Built inbound ICMP connection for faddr 172.1.1.20/768 gaddr 192.

168.0.1/0 laddr 192.168.0.1/0

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.22

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.22 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.22 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

%ASA-7-609002: Teardown local-host Outside1:192.168.2.20 duration 0:00:00

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host identity:192.168.0.1

%ASA-6-302020: Built inbound ICMP connection for faddr 172.1.1.20/768 gaddr 192.

168.0.1/0 laddr 192.168.0.1/0

%ASA-3-313001: Denied ICMP type=8, code=0 from 172.1.1.20 on interface Inside

%ASA-6-302021: Teardown ICMP connection for faddr 172.1.1.20/768 gaddr 192.168.0

.1/0 laddr 192.168.0.1/0

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:02

%ASA-7-609002: Teardown local-host identity:192.168.0.1 duration 0:00:02

%ASA-7-609001: Built local-host Inside:172.1.1.20

%ASA-7-609001: Built local-host Outside1:192.168.2.20

%ASA-3-305006: portmap translation creation failed for icmp src Inside:172.1.1.2

0 dst Outside1:192.168.2.20 (type 8, code 0)

%ASA-7-609002: Teardown local-host Inside:172.1.1.20 duration 0:00:00

ASAFCHFW# ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=8455 len=3

2

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=9735 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ICMP echo request from 172.1.1.20 to 192.168.0.1 ID=768 seq=9991 len=32

Denied ICMP type = 8, code = 0 from 172.1.1.20on interface 4

ASAFCHFW#