Asa - Deny inbound icmp src inside...

Unanswered Question
Dec 9th, 2008
User Badges:

Hi i have a problem i hope find a solution.

I have my lan conected to a ASA inside interface, in my lan have a dns server that knows where is a internal web aplication( is in another branch conected by a router(, the pc`s have the dir ips with default gateway, in that way the pc doesnt how to reach the web aplication( cero activity in the log of asdm, so i try with a route in the asa :

route inside 1

with these i get activity in the asdm with a ping from pc:, show :

Deny inbound icmp src inside dst inside (tyoe:8, code :0)

this is part of my configuration:

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any eq www any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any any

global (outside) 1 X.X.X.X netmask

nat (inside) 1

nat (inside) 0

nat (DMZ) 0

access-group outside_access_in in interface outside

route outside 2

route inside 1

Plese help!!!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
rush2amol Tue, 12/09/2008 - 22:38
User Badges:

icmp is a seperate protocol so perhaps you should try for

access-list inside_access_in extended permit icmp any any; but i guess this should not affect the access of the webserver from the desktops.

i would recomed you to put the routing on the router than on the firewall, configure the specific subnets on the router pointing to your branches and then a default route in it pointing to the firewall. the desktops would hve the default gateway as the router.

solpandor Wed, 12/10/2008 - 02:20
User Badges:

hi there

try this:

1) conf t

2) icmp permit (lan ip) (mask) interface inside


husycisco Wed, 12/10/2008 - 03:59
User Badges:
  • Gold, 750 points or more

Hello Andres,

global (outside) 1 X.X.X.X netmask

nat (inside) 1

"nat (inside) 0 " --> You tell the firewall NOT! to NAT ANY! traffic from inside. This command will make the commands above itself PASSIVE, they will be useless.

I have once made a very detailed explaination about that issue in this forum before,but couldt find it to give a link to you. So I will explain again, less detailed for time sake.

For example, PC wants to connect to, so it forwards the request to its gateway the ASA. ASA checks its routing table and sees that it has to forward that packet which came from inside interface, to same interface again. This behaviour is denied by default. First, allow this behaviour by typing "same-security-traffic permit intra-interface"

Now ASA correctly forwarded the packet to with a source IP of in packet. Router receives the packet, delivers to all fine. Now the return traffic that is destined to will depart from the router. BUT! Since router has a "connected route" because of being connected to same segment (, it will directly send the packet to while it has to send the packet to ASA, then ASA to This is called "assymetrical routing" which results being dropped at clientside, in terms of TCP (ping will work correctly), since the respond doesnt come back from the host (ASA) which is defined in session table waiting for SYN ACK. To correct this issue, you have to PAT traffic as following so the return traffic will always hit ASA

Do the following modifications

access-list PNat permit ip

no global (outside) 1 X.X.X.X netmask

no nat (inside) 1

nat (inside) 1 access-list PNat

global (inside) 1 interface

nat (inside) 5

global (outside) 1 X.X.X.X netmask

Remove following, they are useless since traffic from higher security level interface to lower is permitted by default

no access-list inside_access_in extended permit ip any any

no access-list inside_access_in extended permit tcp any any

no access-list inside_access_in extended permit tcp any eq www any

no access-group inside_access_in interface inside

For permtting PINGs, use inspection

policy-map global_policy

class inspection_default

inspect icmp

" nat (DMZ) 0 " Unless your DMZ interface and clients are placed in public IP range, they wont be able to connect to internet or outside interface with this command. Post here if you are having connectivity issues about your DMZ



This Discussion