Solved: You need to enable ICMP

sophorn.ros · ‎06-20-2015

Dear Team,

Currently i cannot ping from source 172.16.5.10 to destination 10.1.0.100. After i check the logs, i found the traffic can pass to the destination 10.1.0.100, but after reply back it wrong outgoing port (the incoming interface is Outside, but reply back using interface management 0/0). And the ICMP traffic drop on outgoing direction (from Interface-Inside to interface-Management). I want income and outcome of ASA using the one interface (Outside). Please advise me the solution. I have attache network follow diagram in attached picture. Appreciate for your advise!!!!

Aref Alsouqi · ‎06-21-2015

Please try to apply the following:

policy-map global_policy
class inspection_default
inspect icmp

By doing so you enabled the inspection for icmp traffic.

Regards,

Aref

View solution in original post

rakeshvelagala · ‎06-20-2015

Hi,

I am not sure how you have configured but, I think you can create a static route on the ASA to use the interface you want the traffic to take..

Thanks

sophorn.ros · ‎06-21-2015

Hi Rakeshvelagala,

The default route has configured to Outside interface, but only icmp traffic that reply from Inside interface to management interface, and it block icmp traffic out by management interface.

Noted. this issue happen only on icmp protocol. For tcp/udp is reply to the corrected interface (outside).

Please advise more idea

pille1234 · ‎06-21-2015

You need to enable ICMP inspection on the ASA to make that work.

Sooner or later however your setup will fail due to routing issues. Having the same subnet on the inside and on OOB-MGMT-port is going to create problems.

sophorn.ros · ‎06-21-2015

Hi Pille,

which interface should i apply ICMP inspection, due all interface i already applied ACL echo-reply.

But what the problem is ASA Management interface have the same subnet with source ip address, so the echo-reply message will looking for the connected interface that have the same subnet with source ip address.

So how to add route or ICMP inspection on current network diagram that i was provided?

Aref Alsouqi · ‎06-21-2015

Hi,

As already mentioned, by enabling the icmp inspection the ASA should create a connection entry in its state table where it would know the source and the destination interfaces, so when the traffic comes back it would be sent out the originating interfaces based on the connection state entry.

Regards,

Aref

sophorn.ros · ‎06-21-2015

Hi Aref Alsouqi,

So how to fix this issue to make my MGMT PC can ping to hosts that located in Inside interface of ASA.

Noted. this issue happen only on icmp protocol. For tcp/udp is reply to the corrected interface (outside). Please advise more idea sir!!

Aref Alsouqi · ‎06-21-2015

Please try to apply the following:

policy-map global_policy
class inspection_default
inspect icmp

By doing so you enabled the inspection for icmp traffic.

Regards,

Aref

sophorn.ros · ‎06-21-2015

Hi Aref Alsouqi,

Thanks so much. It works now!

Regard,

Sophorn

Aref Alsouqi · ‎06-21-2015

You are most welcome.

Regards,

Aref

ICMP Cannot send out trough management0/0 port of ASA