Firewall logs shows denies but ACL statement should be allowing ICMP

Unanswered Question
Sep 4th, 2008

I have a question that has been baffling me all afternoon.

I have an ASA appliance which I have positioned to guard my Customers network from the Internet. On the other side of him is a Border Router which is a 3825 ISR.

I have an ACL extended configured on the ASA. The ACL blocks unwanted traffic and allows specific hosts on specific ports thru.

One of the statements I have configured on the ASA ACL is:

access-list outside_inside extended permit icmp any any echo

This ACL is applied inbound on the Outside Interface.

When I examine the logs of the router, I have alot of the following entries:

%ASA-4-106023: Deny icmp src outside:bhigw2 dst inside:206.248.224.3

the bhigw2 host is the Border Router I was referring to. I am not sure why his traffic is being blocked when the ACL in question should be allowing it?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
branfarm1 Thu, 09/04/2008 - 14:50

Hi there. I believe you have to also control ICMP on a per-interface basis. Use the 'icmp permit' command to allow ICMP from a host on the specified interface.

For example, to allow icmp from the outside interface, enter:

icmp permit any outside

Then apply your ACL to the interface.

On one of my devices I have the following config:

icmp permit any outside

access-list outside permit icmp any any echo-reply

I use that to allow hosts on the inside to ping hosts on the outside, but not the other way around (it's an internal vlan).

Please rate if helpful.

Thanks!

robertson.michael Fri, 09/05/2008 - 06:08

One quick point of clarification:

Using an ACL to permit ICMP only applies to traffic through the ASA (i.e. some host on one side of the ASA to some host on another side of the ASA).

The 'icmp permit|deny' command only applies to ICMP to the ASA (i.e. some host on one side of the ASA to an interface of the ASA).

-Mike

branfarm1 Fri, 09/05/2008 - 06:14

Thanks for the clarification Mike. I guess I never realized that the icmp command was limited to the ASA itself. I have always used it in conjunction with an acl. Looking at the docs, I don't know how I ever missed it!

robertson.michael Fri, 09/05/2008 - 06:35

No problem at all. With so much information in the documentation, it can be easy to miss things like that.

-Mike

Kevin Melton Fri, 09/05/2008 - 09:42

Thanks for your response.

I have made the configuration change and applied the "icmp permit any outside" statement to the ASA.

Much to my dismay , I am still receiving the error message:

Deny icmp src outside:bhigw2 dst inside:206.248.224.3 (type 3, code 3) by access-group "outside_inside" [0x0, 0x0]

I want to question why my border router would be pinging my Inside Firewall at this point. That seems bizarre. We have a network Management station on our Inside Network that polls the Border Router, but it is getting ICMP replies in that the light that represents the Border Router is green on the management station, so that is not an ICMP response getting blocked. I will put a sniffer in our network at the appropriate place and see if I can find out any more.

robertson.michael Fri, 09/05/2008 - 19:34

Hi,

So, are you saying that the logs show that your border router (which is behind the outside interface of your ASA, I am assuming) is trying to ping the IP address of the ASA's inside interface?

If that is the case, then this is simply not supported and you unfortunately will not be able to make any configuration changes that would allow this to work.

I think you are on the right track, though, in trying to find out why the border router is trying to ping the inside of your ASA. I am afraid I won't be of much help there, but if it is simply for testing to see if the ASA is up, you would have to configure it to ping the ASA's outside IP address (and double check your 'icmp permit' commands) in order for those pings to succeed.

Hope that helps.

-Mike

ariesc_33 Sun, 09/07/2008 - 23:39

hi,have you configured static NAT? if you are going to ping from outside to inside, the inside ip address should be translated first to a routable ip address from the border router.

Actions

This Discussion