Solved: Ping from Outside allowed but not enabled on Outside ACL.

CiscoBrownBelt · ‎03-21-2019

So I have a basic lab setup - see attached. My outside host machine is able to ping my internal host when icmp is not enable on the ACL on Outside. Anyone know why this may be or is the case?

ASA# sh run
: Saved
:
: Serial Number: JMX184940D6
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)
!
hostname SiteP-ASA
enable password kqNsU0EdOEv8n9Op encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 15
!
interface Ethernet0/6
switchport access vlan 15
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
no forward interface Vlan2
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan15
nameif inside
security-level 100
ip address 192.168.15.254 255.255.255.0
!
ftp mode passive
object network Internal_Lan
subnet 192.168.15.0 255.255.255.0
object network Dellr610_Srv
host 192.168.15.1
description Dellr610_Srv on Inside
object network Virtual_Environment_192.168.15.0
range 192.168.15.0 192.168.15.255
description Virtual_Environment_192.168.15.0 on inside_LAN
object network Outside_HP_Upstairs_WS
host 192.168.1.217
description Outside HP Upstairs WS
object service Server_Port_3080
service tcp source eq 3080 destination eq 3080
description Port needed to access servers
object network Site_P_Outside_Lan
range 192.168.1.1 192.168.1.254
description Site_P_Outside_Lan
object service DNS
service udp source eq domain destination eq domain
description Domain Name Service
object service DNS_TCP
service tcp source eq domain destination eq domain
description Domain Name Service TCP
object service DNS_Tcp
service udp source eq domain destination eq domain
object-group network Internal_Subnets
description Internal_Subnets
network-object object Dellr610_Srv
network-object object Virtual_Environment_192.168.15.0
object-group icmp-type ICMP_Connectivity_Testing
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object information-reply
icmp-object information-request
icmp-object unreachable
object-group service Web_Ports
description Web_Ports needed to access the internet NOT WORKING
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object object DNS
service-object object DNS_TCP
service-object tcp destination eq ssh
service-object icmp
service-object tcp destination eq domain
service-object tcp destination eq 2598
object-group network Site_P_Outside_Lan_Mgmt_Hosts
description Outside_Lan hosts allowed to inside servers
network-object object Outside_HP_Upstairs_WS
object-group service Server_Ports
description Ports needed to access servers from Outside/Inside
service-object object Server_Port_3080
object-group network DM_INLINE_NETWORK_2
network-object object Internal_Lan
network-object object Virtual_Environment_192.168.15.0
object-group network DM_INLINE_NETWORK_1
network-object object Site_P_Outside_Lan
group-object Site_P_Outside_Lan_Mgmt_Hosts
object-group network DM_INLINE_NETWORK_5
group-object Internal_Subnets
network-object object Virtual_Environment_192.168.15.0
object-group network DM_INLINE_NETWORK_6
network-object object Internal_Lan
network-object object Virtual_Environment_192.168.15.0
object-group network DM_INLINE_NETWORK_7
group-object Internal_Subnets
network-object object Virtual_Environment_192.168.15.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_9
network-object object Internal_Lan
network-object object Virtual_Environment_192.168.15.0
access-list outside_access_in extended permit ip object Site_P_Outside_Lan object-group DM_INLINE_NETWORK_2
access-list Inside extended permit ip 192.168.15.0 255.255.255.0 any log inactive
access-list Inside extended permit ip any any log inactive
access-list Inside remark Internal_Subnets allowed to Internet
access-list Inside extended permit ip object-group Internal_Subnets any inactive
access-list Inside remark Ports needed for testing
access-list Inside extended permit icmp object-group DM_INLINE_NETWORK_7 any object-group ICMP_Connectivity_Testing
access-list Inside remark Ports needed to access internet web pages
access-list Inside extended permit ip object-group DM_INLINE_NETWORK_5 any
access-list Inside remark Ports needed from connectivity testing
access-list Inside extended permit icmp object-group DM_INLINE_NETWORK_1 object-group Internal_Subnets object-group ICMP_Connectivity_Testing inactive
access-list Inside extended permit ip object Outside_HP_Upstairs_WS object-group DM_INLINE_NETWORK_9 inactive
access-list Inside extended permit ip object-group DM_INLINE_NETWORK_6 object Outside_HP_Upstairs_WS inactive
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-717.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group Inside in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.217 255.255.255.255 outside
http 192.168.15.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.217 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 2

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
username neteng password bzvbyY6YRFaansCf encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:336b3dbcfc0aea619aeb9791f6bc0b74
: end

Francesco Molino · ‎03-21-2019

Hi

The following acl is allowing your outside subnet to access your internal subnet:

access-list outside_access_in extended permit ip object Site_P_Outside_Lan object-group DM_INLINE_NETWORK_2

Remove it and your ping won't work anymore.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-21-2019

Hi

The following acl is allowing your outside subnet to access your internal subnet:

access-list outside_access_in extended permit ip object Site_P_Outside_Lan object-group DM_INLINE_NETWORK_2

Remove it and your ping won't work anymore.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marius Gunnerud · ‎03-23-2019

That is if 192.168.1.217 is the IP on the outside PC. With no actual information on where in the network these IPs are allocated, it is difficult to know where the issue is.

You could run a packet-tracer to see what rule is actually allowing the traffic.

--
Please remember to select a correct answer and rate helpful posts

CiscoBrownBelt · ‎03-23-2019

Right. Ok I thought I must choose the icmp service to allow it but I guess that is allowed on all ip suite.

CiscoBrownBelt · ‎03-23-2019

Also, if I ping from Outside machine to Inside I don't even see the pings (echo request and reply) in the Real-time log viewer. I am filtering using Outside ip subnet or filtering everything and still don't see it. See attached while running -t

CiscoBrownBelt · ‎03-23-2019

Shouldn't I see echo-reply and request in the logs?

Francesco Molino · ‎03-24-2019

What's your final config today and what is the source IP and destination IP?

Have you ran a packet-tracer to see if the traffic is allowed? Because of it isn't then you wouldn't see any echo-reply.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CiscoBrownBelt · ‎03-25-2019

Hi!
Sorry I did not realize that ICMP falls under IP and would be allowed if I am allowing IP in a rule.