11-06-2008 01:14 PM - edited 03-11-2019 07:09 AM
I can't understand this one. I have a netopia router in front of an ASA. The ASA is getting an address from the provider for the time being, but I can ping that address. In my logs I see where the icmp connection is being built and torn down on the ASA, but it's from a different ip than mine. Is it possible that I'm hitting the netopia router and it's responding for the ASA?
Thanks,
John
Solved! Go to Solution.
11-06-2008 02:05 PM
Lets use a bit of inverse logic. On your ASA
asa(config)# icmp deny any outside
Jon
11-06-2008 01:19 PM
John
Could you provide a bit of addressing - doesn't have to be the real addressing just use any addressing to give example. Is it
LAN -> ASA -> Netopia router
If so could you provide addressing for interfaces and also where you are pinging from.
What do you mean when you say ASA ia getting address from provider - do you mean DHCP ?
Jon
11-06-2008 01:33 PM
It's a pppoe account that's assigned an address. The current layout is
LAN --> ASA --> Netopia --> Cloud
The ASA public is 192.168.1.5
The Netopia is supposedly in bridging mode.
From my box (outside of their network), I can ping 192.168.1.5. In the logs I see:
%ASA-6-302020: Built inbound ICMP connection for faddr 1.1.1.1 (my public)/37737 gaddr
192.168.1.5/0 laddr 192.168.1.5/0
This makes NO sense. I don't have ACLs that are allowing the traffic through, and I was always under the assumption that the public side always dropped any traffic unless explicitly permitted.
Thanks,
John
11-06-2008 01:42 PM
John
Sorry it's been a long day so i may be a bit slow ! You are pinging from another public IP address, nothing to do with the LAN behind the ASA.
If so an acl on the outside interface of the ASA does not control whether you can ping the outside interface but whether ICMP is allowed through.
Look in the ASA config to see if there is a line
icmp permit any outside
Again, apologies if i am still not understanding.
Jon
11-06-2008 01:46 PM
It's understandable...it has been a LONG day :-)
I'm pinging from one public to another public (outside interface on ASA). There's no icmp lines on there, and to verify I did the following:
access-list TEST deny icmp any any
access-list TEST permit ip any any
access-group TEST in interface outside
I can still ping with no hits on the acl. I believe the Netopia is answering for the request.
--John
11-06-2008 01:59 PM
Okay i need some sleep :-)
I'm pinging from one public to another public (outside interface of ASA) - yes but where from a topology point of view is the other public IP ie. the public IP that is not the outside interface of the ASA ?
Jon
11-06-2008 02:05 PM
It's in another state :o)
It connects to us through easyvpn. I thought that was the problem, so I remoted into one of my laptops at my house, and I could ping it from there too. The ASA is just another device out on the internet. Does that help? It really makes no sense, and it's frustrating me. :-) I don't get frustrated easily.... LOL
--John
11-06-2008 02:05 PM
Lets use a bit of inverse logic. On your ASA
asa(config)# icmp deny any outside
Jon
11-06-2008 02:08 PM
LOL! That worked :-) Now, why won't my acl block it?? It wasn't even touching my acl.
11-06-2008 02:11 PM
John
Think we have both had it today.
Your acl has no effect on ICMP traffic going to an interface on the ASA. An acl only effects ICMP traffic (and all other traffic) going through the ASA from one side to another.
Default must be to allow icmp but to all interfaces but it didn't used to be.
Jon
11-06-2008 02:12 PM
Thanks Jon!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: