ASA 5505: unable to ping external hosts

Unanswered Question
Jun 20th, 2007
User Badges:

Hi,


I have a LAN behind ASA 5505, interface NAT/PAT is configured.

External interface is configured for PPPoE.

Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:

icmp permit any inside

icmp permit any outside

access-list outside_access_in extended permit icmp any any


Protocol inspections and fixups are default.


When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:


302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session

313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside

302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1

302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512

Where 202.xx.yy.zz is IP of external interface of ASA.

This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?

Any help will be highly appreciated.

Thank you.


Alex


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 06/20/2007 - 20:39
User Badges:
  • Blue, 1500 points or more

just to clarify, outside_access_in is the acl that is applied to your outside interface?

can you post the full acl, as well as all nat/global/static commands.


augnevenok Wed, 06/20/2007 - 21:52
User Badges:

I attached config of the ASA

I am running similar configs on other firewalls and never had a problem with ICMP being blocked.




Attachment: 
krowland123 Wed, 10/22/2008 - 12:07
User Badges:

Did you ever come up with a fix for this, I am running into to this very issue right now on an ASA5505 running 7.2(3)?

JORGE RODRIGUEZ Wed, 10/22/2008 - 12:56
User Badges:
  • Green, 3000 points or more

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :


access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-group outside_access_in in interface outside


or icmp inspection instead of acl.



policy-map global_policy

class inspection_default

inspect icmp


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml




HTH

Jorge

Actions

This Discussion