Asa - Deny inbound icmp src inside...

Unanswered Question
Dec 9th, 2008
User Badges:

Hi i have a problem i hope find a solution.

I have my lan conected to a ASA inside interface 10.57.1.250, in my lan have a dns server that knows where is a internal web aplication(10.240.142.84)that is in another branch conected by a router( 10.57.1.253), the pc`s have the 10.57.1.0 255.255.255.0 dir ips with default gateway 10.57.1.250, in that way the pc doesnt how to reach the web aplication(10.240.142.84) cero activity in the log of asdm, so i try with a route in the asa :

route inside 10.240.142.84 255.255.255.255 10.57.1.253 1


with these i get activity in the asdm with a ping from pc:10.57.1.240, show :

Deny inbound icmp src inside 10.57.1.240 dst inside 10.240.142.84 (tyoe:8, code :0)


this is part of my configuration:


access-list inside_access_in extended permit ip any any


access-list inside_access_in extended permit tcp any any


access-list inside_access_in extended permit tcp any eq www any


access-list outside_access_in extended permit ip any any


access-list outside_access_in extended permit tcp any any


global (outside) 1 X.X.X.X netmask 255.255.255.255


nat (inside) 1 10.57.1.0 255.255.255.0


nat (inside) 0 0.0.0.0 0.0.0.0


nat (DMZ) 0 0.0.0.0 0.0.0.0


access-group outside_access_in in interface outside


route outside 0.0.0.0 0.0.0.0 190.144.146.17 2


route inside 10.240.142.84 255.255.255.255 10.57.1.253 1


Plese help!!!!!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
rush2amol Tue, 12/09/2008 - 22:38
User Badges:

icmp is a seperate protocol so perhaps you should try for

access-list inside_access_in extended permit icmp any any; but i guess this should not affect the access of the webserver from the desktops.


i would recomed you to put the routing on the router than on the firewall, configure the specific subnets on the router pointing to your branches and then a default route in it pointing to the firewall. the desktops would hve the default gateway as the router.

solpandor Wed, 12/10/2008 - 02:20
User Badges:

hi there

try this:

1) conf t

2) icmp permit (lan ip) (mask) interface inside


HTH

husycisco Wed, 12/10/2008 - 03:59
User Badges:
  • Gold, 750 points or more

Hello Andres,

global (outside) 1 X.X.X.X netmask 255.255.255.255


nat (inside) 1 10.57.1.0 255.255.255.0


"nat (inside) 0 0.0.0.0 0.0.0.0 " --> You tell the firewall NOT! to NAT ANY! traffic from inside. This command will make the commands above itself PASSIVE, they will be useless.



I have once made a very detailed explaination about that issue in this forum before,but couldt find it to give a link to you. So I will explain again, less detailed for time sake.

For example, 10.57.1.202 PC wants to connect to 10.240.142.84, so it forwards the request to its gateway 10.57.1.250 the ASA. ASA checks its routing table and sees that it has to forward that packet which came from inside interface, to same interface again. This behaviour is denied by default. First, allow this behaviour by typing "same-security-traffic permit intra-interface"


Now ASA correctly forwarded the packet to 10.57.1.253 with a source IP of 10.57.1.202 in packet. Router receives the packet, delivers to 10.240.142.84 all fine. Now the return traffic that is destined to 10.57.1.202 will depart from the router. BUT! Since router has a "connected route" because of being connected to same segment (10.57.1.0), it will directly send the packet to 10.57.1.202 while it has to send the packet to ASA, then ASA to 10.57.1.202. This is called "assymetrical routing" which results being dropped at clientside, in terms of TCP (ping will work correctly), since the respond doesnt come back from the host (ASA) which is defined in session table waiting for SYN ACK. To correct this issue, you have to PAT traffic as following so the return traffic will always hit ASA


Do the following modifications

access-list PNat permit ip 10.57.1.0 255.255.255.0 10.240.142.0 255.255.255.0

no global (outside) 1 X.X.X.X netmask 255.255.255.255

no nat (inside) 1 10.57.1.0 255.255.255.0

nat (inside) 1 access-list PNat

global (inside) 1 interface

nat (inside) 5 10.57.1.0 255.255.255.0

global (outside) 1 X.X.X.X netmask 255.255.255.255


Remove following, they are useless since traffic from higher security level interface to lower is permitted by default


no access-list inside_access_in extended permit ip any any

no access-list inside_access_in extended permit tcp any any

no access-list inside_access_in extended permit tcp any eq www any

no access-group inside_access_in interface inside


For permtting PINGs, use inspection


policy-map global_policy

class inspection_default

inspect icmp



" nat (DMZ) 0 0.0.0.0 0.0.0.0 " Unless your DMZ interface and clients are placed in public IP range, they wont be able to connect to internet or outside interface with this command. Post here if you are having connectivity issues about your DMZ


Regards




Actions

This Discussion