Re: No matching connection for ICMP error message. - Page 2

CiscoBrownBelt · ‎03-20-2018

See diagram attachment.

I receive the following error in the logs of the ASA:

no matching connection for ICMP error message: icmp src Inside: 10.10.10.1 dst identity: 10.10.10.251 (type 3 code 13) on Inside interface. Original payload: icmp src 10.10.10.251 dst 10.10.10.1 (type 0, code 0)

So basically I am pining from the internal side (left router/10.10.10.1) to internal IP of FW (10.10.10.251).

I added a network object (Internal Lan) to allow all 192 address so I entered 192.168.0.0 /16 and applied this to allow ICMP to the internal and external interfaces of the FW. Obviously it is not working. Can someone point me in right direction?

CiscoBrownBelt · ‎03-20-2018

So logs do show denies coming from the devices I ping from (all device except FW as shown in diagram), but I have entries to allow the anything on 192.168 (192.168.0.0 /16) in addition to the device IPs shown on diagram, but they still get denied. I added them as source and destinations and allowing icmp echo replies. Sound like anything I am missing?

Rob Ingram · ‎03-20-2018

On your diagram, what looks to be the inside interface of the FW has an IP address of 10.10.20.10.2 /24 - which is invalid, is that just incorrect on the diagram? You previously said the inside IP of the FW is 10.10.10.251.

You mention the 192.168.0.0/16 subnet, do you have a route on the FW to that network?

This will all become clearer tomorrow when we can have a look at the configuration of the ASA.

CiscoBrownBelt · ‎03-20-2018

Sorry diagram is wrong - I have updated it and attached it.

FW is 10.10.20.2 and router g0/1 has ip 10.10.20.1.
Mistake again I meant to say 10.10 instead of 192.168.

Yes I have the following route on the FW: route inside 10.10.0.0 255.255.0.0 10.10.20.1 to point to the router mgmt. sub interface to get to any 10.10.X.X traffic as I will have more than 10.10.10.X subnets.

CiscoBrownBelt · ‎03-20-2018

Forgot to attach.