cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
855
Views
0
Helpful
2
Replies

Allow ping from inside to ASA and traceroute

jschaeffer1
Level 1
Level 1

I have an ASA 5508 and I'm trying to allow hosts on the inside network to ping the ASA outside interface. From my understanding requests from a higher security level to a lower should be implicitly allowed, however it looks like all icmp echo requests are being dropped at the inside interface. Note that I can ping past the outside interface. Below is my network layout:

network_layout_public.jpg

  When I try to ping the outside interface from an inside network it fails:

 

user@server02:~$ ip --brief -4 addr show bond-mgmt
bond-mgmt        UP             10.2.28.100/22

user@server02:~$ ping -c 4 10.2.1.1
PING 10.2.1.1 (10.2.1.1) 56(84) bytes of data.
64 bytes from 10.2.1.1: icmp_seq=1 ttl=254 time=0.375 ms
64 bytes from 10.2.1.1: icmp_seq=2 ttl=254 time=0.378 ms
64 bytes from 10.2.1.1: icmp_seq=3 ttl=254 time=0.357 ms
64 bytes from 10.2.1.1: icmp_seq=4 ttl=254 time=0.398 ms

--- 10.2.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.357/0.377/0.398/0.014 ms

user@server02:~$ ping -c 4 203.0.113.5
PING 203.0.113.5 (203.0.113.5) 56(84) bytes of data.

--- 203.0.113.5 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3076ms

user@server02:~$ ping -c 4 203.0.113.1
PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_seq=1 ttl=63 time=0.637 ms
64 bytes from 203.0.113.1: icmp_seq=2 ttl=63 time=0.614 ms
64 bytes from 203.0.113.1: icmp_seq=3 ttl=63 time=0.609 ms
64 bytes from 203.0.113.1: icmp_seq=4 ttl=63 time=1.55 ms

--- 203.0.113.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3048ms
rtt min/avg/max/mdev = 0.609/0.854/1.558/0.407 ms

Here is my config on the ASA:

ASA# show running-config 

...

ASA Version 9.8(2) 
!

...

interface GigabitEthernet1/1
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!             
interface GigabitEthernet1/3
 channel-group 2 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 channel-group 2 mode active
 no nameif
 no security-level
 no ip address
!

...

interface Port-channel1
 lacp max-bundle 8
 nameif outside
 security-level 0
 ip address 203.0.113.5 255.255.255.248 
 ipv6 address 2001:db8:1::4/64
 ipv6 enable
!
interface Port-channel2
 lacp max-bundle 8
 nameif inside
 security-level 100
 ip address 10.2.1.1 255.255.255.0 
 ipv6 address 2001:db8:2::1/64
 ipv6 enable
!

...

access-list outside_ingress extended permit ip any 203.0.113.0 255.255.255.0 
access-list outside_ingress extended permit icmp any 198.41.100.0 255.255.255.248 
access-list outside_ingress extended permit tcp any host 203.0.113.84 eq imap4 
access-list outside_ingress extended permit tcp any host 203.0.113.85 eq 587 
access-list outside_ingress extended permit tcp any host 203.0.113.85 eq smtp 
access-list outside_ingress extended permit ip any 2001:db8:2::/48 
access-list outside_ingress extended permit icmp6 any 2001:db8:1::/64 
access-list outside_ingress extended permit tcp any host 2001:db8:2::1 eq imap4 
access-list outside_ingress extended permit tcp any host 2001:db8:2::2 eq 587 
access-list outside_ingress extended permit tcp any host 2001:db8:2::3 eq smtp 
pager lines 24
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!

...

access-group outside_ingress in interface outside
ipv6 route outside ::/0 2001:db8:1::1
ipv6 route inside 2001:db8:2::/48 2001:db8:2:1::1
route outside 0.0.0.0 0.0.0.0 203.0.113.1 1
route inside 10.2.0.0 255.255.0.0 10.2.1.2 1
route inside 203.0.113.0 255.255.255.0 10.2.1.2 1
route inside 192.168.4.0 255.255.255.0 10.2.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
!

...

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global

...

: end

I'd also like to allow traceroute from inside my network, but this seems to be failing for IPv4:

user@server01:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max
  1   10.2.24.1  1.145ms  2.477ms  2.198ms 
  2   *  *  * 
  3   *  *  * 
  4   *  *  * 
  5   *  *  * 
  6   *  *  * 
  7   *  *  * 
  8   *  *  * 
  9   *  *  * 
 10   *  *  * 
 11   *  *  * 
 12   *  *  * 
 13   *  *  * 
 14   *  *  * 
 15   *  *  * 
 16   *  *  * 
 17   *  *  * 
 18   *  *  * 
 19   *  *  * 
 20   *  *  * 
 21   *  *  * 
 22   *  *  * 
 23   *  *  * 
 24   *  *  *

 

1 Accepted Solution

Accepted Solutions

Hi,

That is not possible (by design).

 

"The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface"

 

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html


HTH

View solution in original post

2 Replies 2

Hi,

That is not possible (by design).

 

"The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface"

 

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html


HTH

Good to know, thanks.

Review Cisco Networking for a $25 gift card