Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4564
Views
0
Helpful
4
Replies

SSL VPN ICMP type 3 question

noepkes51
Level 1
Level 1

‎03-14-2011 09:23 AM

Hello Cisco Community,

We are using an ASA 5510 for our remote VPN connection.  Since we are using it for only VPN, we have it sitting behind a Checkpoint firewall.  I have firewall rules (on checkpoint) to all the SSL VPN connections (both UDP and TCP port 443).

On Checkpoint I noticed a lot of out of state packets being dropped.  These packets were ICMP time-exceeded, destination unreachable and your standard echo requests.

I opened up the firewall rules to allow the above ICMP connections in and out but I'm still seeing the following errors on the ASA:

%ASA-3-313001: Denied ICMP type=3, code=3 from x.x.x.x on interface outside

%ASA-3-313001: Denied ICMP type=3, code=1 from x.x.x.x on interface outside

Since these requests are coming from legitimate users, I'm wondering what the purpose this ICMP traffic serves and if my checkpoint firewall is reducing VPN performance.

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-15-2011 02:48 AM

Those ICMP type 3 are being dropped on your ASA outside interface because you might have "icmp" rules configured on one or more of your interfaces.

You can check by running the following command: sh run icmp

If you have at least 1 icmp rule configured on any 1 interface, the default rule for any icmp types that you have not allowed on the interfaces are block.

Here is the syslog explaination for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771105

To allow specific ICMP type 3 on your outside interface:

icmp permit any unreachable outside

Hope that helps.

0 Helpful

noepkes51
Level 1
Level 1
In response to Jennifer Halim

‎03-15-2011 09:13 AM

Thank you for your help.  However, I am still getting the following: %ASA-3-313001: Denied ICMP type=3, code=3

Does the command you mentioned allow only ICMP type 3, code 0?  I would like too allow all codes for type 3.

This is the results from my show run icmp command:

(config)# show run icmp
icmp unreachable rate-limit 100 burst-size 10
icmp permit any outside
icmp permit any unreachable outside
icmp permit any inside

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to noepkes51

‎03-15-2011 04:56 PM

It should be for all ICMP type 3 codes.

Can you please check again if you still have those syslog logged? It might just be a delay as it is still processing the syslog prior to your change on the ICMP command.

0 Helpful

noepkes51
Level 1
Level 1
In response to Jennifer Halim

‎03-16-2011 06:09 AM

I checked this morning and had 70 alerts sent to my inbox.  Looks like they're all code 1 or code 3. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents