I have an ASA 5508 and I'm trying to allow hosts on the inside network to ping the ASA outside interface. From my understanding requests from a higher security level to a lower should be implicitly allowed, however it looks like all icmp echo requests are being dropped at the inside interface. Note that I can ping past the outside interface. Below is my network layout:
When I try to ping the outside interface from an inside network it fails:
user@server02:~$ ip --brief -4 addr show bond-mgmt bond-mgmt UP 10.2.28.100/22 user@server02:~$ ping -c 4 10.2.1.1 PING 10.2.1.1 (10.2.1.1) 56(84) bytes of data. 64 bytes from 10.2.1.1: icmp_seq=1 ttl=254 time=0.375 ms 64 bytes from 10.2.1.1: icmp_seq=2 ttl=254 time=0.378 ms 64 bytes from 10.2.1.1: icmp_seq=3 ttl=254 time=0.357 ms 64 bytes from 10.2.1.1: icmp_seq=4 ttl=254 time=0.398 ms --- 10.2.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3056ms rtt min/avg/max/mdev = 0.357/0.377/0.398/0.014 ms user@server02:~$ ping -c 4 203.0.113.5 PING 203.0.113.5 (203.0.113.5) 56(84) bytes of data. --- 203.0.113.5 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3076ms user@server02:~$ ping -c 4 203.0.113.1 PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data. 64 bytes from 203.0.113.1: icmp_seq=1 ttl=63 time=0.637 ms 64 bytes from 203.0.113.1: icmp_seq=2 ttl=63 time=0.614 ms 64 bytes from 203.0.113.1: icmp_seq=3 ttl=63 time=0.609 ms 64 bytes from 203.0.113.1: icmp_seq=4 ttl=63 time=1.55 ms --- 203.0.113.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3048ms rtt min/avg/max/mdev = 0.609/0.854/1.558/0.407 ms
Here is my config on the ASA:
ASA# show running-config ... ASA Version 9.8(2) ! ... interface GigabitEthernet1/1 channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/2 channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/3 channel-group 2 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/4 channel-group 2 mode active no nameif no security-level no ip address ! ... interface Port-channel1 lacp max-bundle 8 nameif outside security-level 0 ip address 203.0.113.5 255.255.255.248 ipv6 address 2001:db8:1::4/64 ipv6 enable ! interface Port-channel2 lacp max-bundle 8 nameif inside security-level 100 ip address 10.2.1.1 255.255.255.0 ipv6 address 2001:db8:2::1/64 ipv6 enable ! ... access-list outside_ingress extended permit ip any 203.0.113.0 255.255.255.0 access-list outside_ingress extended permit icmp any 198.41.100.0 255.255.255.248 access-list outside_ingress extended permit tcp any host 203.0.113.84 eq imap4 access-list outside_ingress extended permit tcp any host 203.0.113.85 eq 587 access-list outside_ingress extended permit tcp any host 203.0.113.85 eq smtp access-list outside_ingress extended permit ip any 2001:db8:2::/48 access-list outside_ingress extended permit icmp6 any 2001:db8:1::/64 access-list outside_ingress extended permit tcp any host 2001:db8:2::1 eq imap4 access-list outside_ingress extended permit tcp any host 2001:db8:2::2 eq 587 access-list outside_ingress extended permit tcp any host 2001:db8:2::3 eq smtp pager lines 24 logging buffered informational logging asdm informational mtu outside 1500 mtu inside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! ... access-group outside_ingress in interface outside ipv6 route outside ::/0 2001:db8:1::1 ipv6 route inside 2001:db8:2::/48 2001:db8:2:1::1 route outside 0.0.0.0 0.0.0.0 203.0.113.1 1 route inside 10.2.0.0 255.255.0.0 10.2.1.2 1 route inside 203.0.113.0 255.255.255.0 10.2.1.2 1 route inside 192.168.4.0 255.255.255.0 10.2.1.2 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 ! ... class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global ... : end
I'd also like to allow traceroute from inside my network, but this seems to be failing for IPv4:
user@server01:~$ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 64 hops max 1 10.2.24.1 1.145ms 2.477ms 2.198ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * *
1 Accepted Solution
Accepted Solutions
