03-20-2018 08:09 AM - edited 02-21-2020 07:32 AM
See diagram attachment.
I receive the following error in the logs of the ASA:
no matching connection for ICMP error message: icmp src Inside: 10.10.10.1 dst identity: 10.10.10.251 (type 3 code 13) on Inside interface. Original payload: icmp src 10.10.10.251 dst 10.10.10.1 (type 0, code 0)
So basically I am pining from the internal side (left router/10.10.10.1) to internal IP of FW (10.10.10.251).
I added a network object (Internal Lan) to allow all 192 address so I entered 192.168.0.0 /16 and applied this to allow ICMP to the internal and external interfaces of the FW. Obviously it is not working. Can someone point me in right direction?
03-20-2018 08:45 AM
Are you inspecting icmp in your class-map (which is referenced by the policy-map and applied via the service policy)?
By default an ASA doesn't inspect icmp and thus has no entry in the state table for it, resulting in the error message like the one you mentioned.
03-20-2018 08:56 AM
03-20-2018 09:00 AM
You should see something like this in the config. Note the inspect icmp statement:
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect pptp
03-20-2018 10:25 AM
03-20-2018 11:40 AM
Can you share the configuration of the ASA please?
Run the command debug icmp trace and then ping the inside interface of the firewall, what is the output in the logs?
Have you run packet tracer and see what it says?
03-20-2018 02:00 PM
03-23-2018 01:43 PM
03-23-2018 02:16 PM
03-26-2018 07:26 AM
03-21-2018 02:51 AM
If you don't inspect icmp, the firewall won't allow the icmp echo reply return traffic that is required for ping to work. Add that inspection and try it again.
03-23-2018 12:06 PM
03-23-2018 02:14 PM
From the cli add icmp inspect as Marvin suggested
policy-map global_policy class inspection_default inspect icmp
03-24-2018 07:23 AM
Ok I will try that this week
03-24-2018 07:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide