Solved: Annyconnect clients can reach inside apps but NO ICMP allowed

FlorianBerthelot · ‎06-25-2014

Hi dear cisco community,

I have a setup with Cisco asa 8.4 and customers connecting towards a server in the inside interface.

Everything workds very fine, the can reah all applications and stuff, BUT, the ICMP would not go through.

I doucble checke, server recevives fine the icmp echo and replies well.

This is my ASA that blocks the echo-reply packets, due to NAT issue according to the logs :

6 Jun 26 2014 16:00:06 302020 172.16.23.1 1 AAA.BBB.CCC.1 0 Built inbound ICMP connection for faddr 172.16.23.1/1(LOCAL\customer1) gaddr AAA.BBB.CCC.1/0 laddr AAA.BBB.CCC.1/0 (customer1)

3 Jun 26 2014 16:00:07 305006 AAA.BBB.CCC.1 172.16.23.1 LOCAL regular translation creation failed for icmp src any:AAA.BBB.CCC.1 dst OUTSIDE:172.16.23.1(LOCAL\customer1) (type 0, code 0)

6 Jun 26 2014 16:00:08 302021 172.16.23.1 1 AAA.BBB.CCC.1 0 Teardown ICMP connection for faddr 172.16.23.1/1(LOCAL\customer1) gaddr AAA.BBB.CCC.1/0 laddr AAA.BBB.CCC.1/0 (customer1)

Here is an extract of my config :

object network VPN_POOL_CLTS

subnet 172.16.23.0 255.255.255.0

object network INSIDE_SERVERS_NET

subnet AAAA.BBB.CCC.0 255.255.255.0

nat (any,OUTSIDE) source dynamic any interface description NAT overload

nat (OUTSIDE,any) source static VPN_POOL_CLTS VPN_POOL_CLTS no-proxy-arp

I believe that there is a NAT issue, so i would add the follow line before the first two NAT config lines :

nat (INSIDE,OUTSIDE) source static INSIDE_SERVERS_NET INSIDE_SERVERS_NET no proxy-arp

Do you think this will solve the issue ?

Why would all traffic flow would work but the ICMP ?

Thanks you all for reading.

nkarthikeyan · ‎06-26-2014

Hi Florian,

If you look at the logging values for icmp denies

305006

Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name : source_address / source_port [( idfw_user )] dst interface_name : dest_address / dest_port [( idfw_user )]

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.

The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.

The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.

When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128

The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.

Recommended Action None required.

302020

Error Message %ASA-6-302020: Built {in | out}bound ICMP connection for faddr { faddr | icmp_seq_num } [( idfw_user )] gaddr { gaddr | cmp_type } laddr laddr [( idfw_user )]

Explanation An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.

Recommended Action None required.

So the similar rule like below would solve your problem.

nat (inside,outside) source static OBJ_INTERNAL OBJ_INTERNAL destination static OBJ_VPN OBJ_VPN no-proxy-arp route-lookup

Regards

Karthik

View solution in original post

nkarthikeyan · ‎06-26-2014

Hi Florian,

If you look at the logging values for icmp denies

305006

Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name : source_address / source_port [( idfw_user )] dst interface_name : dest_address / dest_port [( idfw_user )]

Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.

The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.

The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.

When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128

The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.

Recommended Action None required.

302020

Error Message %ASA-6-302020: Built {in | out}bound ICMP connection for faddr { faddr | icmp_seq_num } [( idfw_user )] gaddr { gaddr | cmp_type } laddr laddr [( idfw_user )]

Explanation An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.

Recommended Action None required.

So the similar rule like below would solve your problem.

nat (inside,outside) source static OBJ_INTERNAL OBJ_INTERNAL destination static OBJ_VPN OBJ_VPN no-proxy-arp route-lookup

Regards

Karthik