02-11-2015 10:21 AM - edited 03-11-2019 10:29 PM
Traffic is being blocked from "interface GigabitEthernet1/3.420" to nameif outside. When i do a ping from inside network, can see traffic hitting ASA but appears to be getting blocked by access group. Tried to motify ACL but nothing helps. Config below.
4|Feb 11 2015 18:15:11|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:11|106023: Deny icmp src outside:124.40.254.242 dst CHTN-A10-EXTERNAL:40.32.218.29 (type 11, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:12|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:13|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
4|Feb 11 2015 18:15:14|106023: Deny icmp src outside:4.2.2.2 dst CHTN-A10-EXTERNAL:40.32.218.2 (type 0, code 0) by access-group "outside" [0x0, 0x0]
CHTN-INET-ASA/sec/act# sho running-config
: Saved
:
ASA Version 9.1(1)
!
hostname CHTN-INET-ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.120.0.0 A-10.120.0.0 description WDO Internal
name 10.120.16.13 Orion description Orion
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
!
interface GigabitEthernet1/0
nameif outside
security-level 0
ip address 80.10.149.246 255.255.255.240 standby 80.10.149.247
!
interface GigabitEthernet1/1
nameif dmz
security-level 50
ip address 80.10.149.3 255.255.255.192 standby 80.10.149.4
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.121.0.1 255.255.255.248 standby 10.121.0.2
!
interface GigabitEthernet1/3
nameif DMZ-TRUNK
security-level 50
no ip address
!
interface GigabitEthernet1/3.420
description Charleston A10 direct-connect
vlan 420
nameif CHTN-A10-EXTERNAL
security-level 70
ip address 40.32.218.1 255.255.255.224
!
boot system disk0:/asa911-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.120.100.50
host 10.120.100.50
object network Orion
host 10.120.16.13
description Created during name migration
object-group network Outside-Management
description Outside-Management IP Space
network-object host 10.121.10.2
network-object host 10.121.10.3
network-object host 10.121.10.4
network-object host 10.121.10.5
object-group network WDO-Internal
description WDO-Internal IP Space
network-object A-10.120.0.0 255.252.0.0
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp destination eq ntp
service-object udp destination eq snmp
service-object udp destination eq snmptrap
service-object udp destination eq syslog
service-object tcp destination eq tacacs
service-object udp destination eq 2055
object-group network DM_INLINE_NETWORK_1
network-object A-10.120.0.0 255.252.0.0
network-object 80.10.149.240 255.255.255.240
object-group network CHTN-A10-EXTERNAL
network-object 40.32.218.0 255.255.255.224
access-list inside extended permit ip object-group WDO-Internal object-group Outside-Management
access-list CHTN-A10-EXTERNAL_access_in extended permit ip object-group CHTN-A10-EXTERNAL any
access-list outside extended permit object-group DM_INLINE_SERVICE_1 object-group Outside-Management object-group WDO-Internal
access-list outside extended permit icmp object-group DM_INLINE_NETWORK_1 object Orion
access-list outside remark Migration, ACE (line 3) expanded: permit tcp object-group Outside-Management host 80.10.149.244 eq
access-list outside extended permit tcp host 10.121.10.2 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.3 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.4 host 10.120.100.50 eq tacacs
access-list outside extended permit tcp host 10.121.10.5 host 10.120.100.50 eq tacacs
access-list outside remark Migration: End of expansion
access-list outside remark Migration, ACE (line 3) expanded: permit tcp object-group Outside-Management host 80.10.149.244 eq
access-list outside remark Migration: End of expansion
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 100000
logging trap warnings
logging asdm informational
logging from-address asa@ntelospcs.net
logging facility 22
logging host inside Orion
logging host inside 10.121.16.231
logging host inside 10.120.16.231
logging permit-hostdown
logging message 106001 level informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu DMZ-TRUNK 1500
mtu CHTN-A10-EXTERNAL 1500
failover
failover lan unit secondary
failover lan interface failover Management0/0
failover link failover Management0/0
failover interface ip failover 10.121.0.45 255.255.255.252 standby 10.121.0.46
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface description PAT for Internet Access
!
object network obj-10.120.100.50
nat (inside,outside) static 80.10.149.244 service tcp tacacs tacacs
access-group outside in interface outside
access-group inside in interface inside
access-group CHTN-A10-EXTERNAL_access_in in interface CHTN-A10-EXTERNAL
!
router ospf 100
router-id 10.121.0.1
network 10.124.252.24 255.255.255.248 area 0
log-adj-changes
redistribute connected subnets
redistribute static subnets
default-information originate always
!
route outside 0.0.0.0 0.0.0.0 80.10.149.241 1
route inside A-10.120.0.0 255.252.0.0 10.121.0.5 1
route outside 10.121.10.2 255.255.255.255 80.10.149.241 1
route outside 10.121.10.3 255.255.255.255 80.10.149.241 1
route outside 10.121.10.4 255.255.255.255 80.10.149.241 1
route outside 10.121.10.5 255.255.255.255 80.10.149.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tac protocol tacacs+
aaa-server tac (inside) host 10.121.16.32
key *****
aaa-server tac (inside) host 10.120.16.32
key *****
user-identity default-domain LOCAL
aaa authentication enable console tac LOCAL
aaa authentication http console tac LOCAL
aaa authentication ssh console tac LOCAL
aaa accounting enable console tac
aaa accounting serial console tac
aaa accounting ssh console tac
aaa accounting telnet console tac
aaa accounting command tac
http server enable
http A-10.120.0.0 255.255.0.0 inside
http 10.120.9.0 255.255.255.0 inside
http 10.120.16.22 255.255.255.255 inside
snmp-server host inside 10.120.16.10 poll community ***** version 2c
snmp-server host inside Orion community ***** version 2c
snmp-server host inside 10.120.16.231 community ***** version 2c
snmp-server host inside 10.120.9.120 poll community ***** version 2c
snmp-server host inside 10.121.16.231 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh A-10.120.0.0 255.252.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.121.10.0 source inside prefer
ntp server 10.121.10.1 source inside
ssl encryption 3des-sha1 des-sha1
username admin password suAq/dPwstP7b0/A encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname priority state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b9c9506a6efa5d3a332c90dc7f2a6496
: end
CHTN-INET-ASA/sec/act#
Solved! Go to Solution.
02-11-2015 11:39 PM
Or you can add ICMP inspection to your Global Policy map
02-11-2015 02:35 PM
You need to allow ICMP echo-reply from the destination.
access-list outside extended permit icmp host 4.2.2.2 any eq echo-reply
02-11-2015 02:42 PM
OK, thanks. I'll give it tonight in a maintenance window and see what happens.
Jonathan,
02-11-2015 11:39 PM
Or you can add ICMP inspection to your Global Policy map
02-12-2015 06:39 AM
Andre,
I liked your options. Gave it a try and it solved the problem, thanks.
02-12-2015 09:14 PM
it's a pleasure to be of assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide