ICMP being allowed through??

Answered Question
Nov 6th, 2008
User Badges:
  • Purple, 4500 points or more

I can't understand this one. I have a netopia router in front of an ASA. The ASA is getting an address from the provider for the time being, but I can ping that address. In my logs I see where the icmp connection is being built and torn down on the ASA, but it's from a different ip than mine. Is it possible that I'm hitting the netopia router and it's responding for the ASA?


Thanks,


John

Correct Answer by Jon Marshall about 8 years 8 months ago

Lets use a bit of inverse logic. On your ASA


asa(config)# icmp deny any outside


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 11/06/2008 - 13:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Could you provide a bit of addressing - doesn't have to be the real addressing just use any addressing to give example. Is it


LAN -> ASA -> Netopia router


If so could you provide addressing for interfaces and also where you are pinging from.


What do you mean when you say ASA ia getting address from provider - do you mean DHCP ?


Jon

John Blakley Thu, 11/06/2008 - 13:33
User Badges:
  • Purple, 4500 points or more

It's a pppoe account that's assigned an address. The current layout is


LAN --> ASA --> Netopia --> Cloud


The ASA public is 192.168.1.5


The Netopia is supposedly in bridging mode.


From my box (outside of their network), I can ping 192.168.1.5. In the logs I see:


%ASA-6-302020: Built inbound ICMP connection for faddr 1.1.1.1 (my public)/37737 gaddr

192.168.1.5/0 laddr 192.168.1.5/0


This makes NO sense. I don't have ACLs that are allowing the traffic through, and I was always under the assumption that the public side always dropped any traffic unless explicitly permitted.


Thanks,


John



Jon Marshall Thu, 11/06/2008 - 13:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Sorry it's been a long day so i may be a bit slow ! You are pinging from another public IP address, nothing to do with the LAN behind the ASA.


If so an acl on the outside interface of the ASA does not control whether you can ping the outside interface but whether ICMP is allowed through.


Look in the ASA config to see if there is a line


icmp permit any outside


Again, apologies if i am still not understanding.


Jon

John Blakley Thu, 11/06/2008 - 13:46
User Badges:
  • Purple, 4500 points or more

It's understandable...it has been a LONG day :-)


I'm pinging from one public to another public (outside interface on ASA). There's no icmp lines on there, and to verify I did the following:


access-list TEST deny icmp any any

access-list TEST permit ip any any


access-group TEST in interface outside


I can still ping with no hits on the acl. I believe the Netopia is answering for the request.


--John

Jon Marshall Thu, 11/06/2008 - 13:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay i need some sleep :-)


I'm pinging from one public to another public (outside interface of ASA) - yes but where from a topology point of view is the other public IP ie. the public IP that is not the outside interface of the ASA ?


Jon

John Blakley Thu, 11/06/2008 - 14:05
User Badges:
  • Purple, 4500 points or more

It's in another state :o)


It connects to us through easyvpn. I thought that was the problem, so I remoted into one of my laptops at my house, and I could ping it from there too. The ASA is just another device out on the internet. Does that help? It really makes no sense, and it's frustrating me. :-) I don't get frustrated easily.... LOL


--John

Correct Answer
Jon Marshall Thu, 11/06/2008 - 14:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Lets use a bit of inverse logic. On your ASA


asa(config)# icmp deny any outside


Jon

John Blakley Thu, 11/06/2008 - 14:08
User Badges:
  • Purple, 4500 points or more

LOL! That worked :-) Now, why won't my acl block it?? It wasn't even touching my acl.

Jon Marshall Thu, 11/06/2008 - 14:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Think we have both had it today.


Your acl has no effect on ICMP traffic going to an interface on the ASA. An acl only effects ICMP traffic (and all other traffic) going through the ASA from one side to another.


Default must be to allow icmp but to all interfaces but it didn't used to be.


Jon

Actions

This Discussion