Solved: unable to ping from specific ip to outside

Khurram · ‎12-31-2019

i am having ASA firewall with 9.6 code. when i create and apply ACL as below it works fine
ASA(config)#access-list abc permit icmp any any echo-reply
ASA(config)# access-group abc in interface Outside

but when i wanna allow specific IP to ping to Outside creatin ACL as below, it does not work.

ASA(config)#access-list abc permit icmp host 1.1.1.1 192.1.20.0 255.255.255.0 echo-reply
ASA(config)# access-group abc in interface Outside

Help me

thanks

Rob Ingram · ‎12-31-2019

Re-reading the entire thread and checking your diagram, the answer is obvious....you just need to flip the source and destination in your ACL. The source of the icmp echo-reply will be 192.1.20.2 and the destination is 1.1.1.1.

HTH

View solution in original post

balaji.bandi · ‎12-31-2019

where is this host IP address located 1.1.1.1?

Do you have NAT Enabled ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Khurram · ‎12-31-2019

This host located at inside

no nat configured

routing done

balaji.bandi · ‎12-31-2019

Can you run packet tracer as suggest and also look at the Logs when you pinging what is the cause of droping the ping ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎12-31-2019

Hi,
Is 1.1.1.1 the loopback of the router? Is that traffic being natted on the ASA?

Turn on debug with command "debug icmp trace" and run the ping test again, upload the output.
Run packet-tracer from the CLI and upload the output.
Provide the full configuration for review.

You could also enable icmp inspection using MPF with the command "fixup protocol icmp"

HTH

Khurram · ‎12-31-2019

1.1.1.1 is a loopback but i have checked it with physical interface IP
no nat configured
i enable debug on outside router "debug icmp packets" packet goes out but when come back and hit to firewall outside interface it dropped.
Here is configuration
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.1.20.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.11.11.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list abc extended permit icmp host 10.11.11.1 host 192.1.20.2 echo-reply
pager lines 23
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group abc in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.1.20.2 1
route Inside 1.1.1.0 255.255.255.0 10.11.11.1 1

Rob Ingram · ‎12-31-2019

Your current ACL is "access-list abc extended permit icmp host 10.11.11.1 host 192.1.20.2 echo-reply" so the source IP address is not 1.1.1.1

So did you run the icmp debug and confirm which IP address is sending the ping?
Did you run packet-tracer?

I assume when you run the ping you are specifying the source IP address/interface?

Khurram · ‎12-31-2019

yes i know in acl i have written 10.11.11.1 but does not work with this ip as well
can you tell me packet tracer command?

yes i am specifying source ip/interface

Rob Ingram · ‎12-31-2019

Please provide the output of the icmp debug.

You'll need to change the ACL if you want the packet-tracer to work, just add another line entry for source 1.1.1.1.

Use this "packet-tracer input inside icmp 1.1.1.1 8 0 192.1.20.2" provide the full output for review

Khurram · ‎12-31-2019

Outside#debug ip icmp
ICMP packet debugging is on
Outside#
*Dec 31 12:17:09.952: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:11.958: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:13.955: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:15.956: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0
Outside#
*Dec 31 12:17:17.960: ICMP: echo reply sent, src 192.1.20.2, dst 1.1.1.1, topology BASE, dscp 0 topoid 0

ciscoasa(config)# packet-tracer input inside icmp 1.1.1.1 8 0 192.1.20.2

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.1.20.2 using egress ifc Outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16, packet dispatched to next module

Result:
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=0 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=1 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=2 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=3 len=72
ICMP echo request from Inside:1.1.1.1 to Outside:192.1.20.2 ID=7 seq=4 len=72

ciscoasa(config)#

Inside#ping 192.1.20.2 source ethernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.20.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
Inside#

Rob Ingram · ‎12-31-2019

Ok, does the "outside" router have a route to 1.1.1.1 via the ASA?

Khurram · ‎12-31-2019

have inserted default route "ip route 0.0.0.0 0.0.0.0 192.1.20.10" pointing to Firewall outside interface.

Rob Ingram · ‎12-31-2019

You mean you have just added the route to the router or it was already there?

What is the output of "show access-list" any hits on the ACL?
Add the command as suggested earlier "fixup protocol icmp"

Khurram · ‎12-31-2019

it is already there.
when I create and apply ACL as below:-
"access-list abc permit icmp any any echo-reply
access-group abc in int outside
it works fine with the same configuration on all devices

ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list abc; 1 elements; name hash: 0x275fa452
access-list abc line 1 extended permit icmp host 1.1.1.1 192.1.20.0 255.255.255.0 echo-reply (hitcnt=0) 0x5086e19f

if i add "fixup protocol icmp" command it will allow all subnets to ping from inside to outside but i wanna allow only specific ip. after adding this command it works fine but all network in inside do ping

Rob Ingram · ‎12-31-2019

Re-reading the entire thread and checking your diagram, the answer is obvious....you just need to flip the source and destination in your ACL. The source of the icmp echo-reply will be 192.1.20.2 and the destination is 1.1.1.1.

HTH