Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26386
Views
8
Helpful
3
Replies

Asa - Deny inbound icmp src inside...

andresfmg
Level 1
Level 1

‎12-09-2008 09:43 PM - edited ‎03-11-2019 07:23 AM

Hi i have a problem i hope find a solution.

I have my lan conected to a ASA inside interface 10.57.1.250, in my lan have a dns server that knows where is a internal web aplication(10.240.142.84)that is in another branch conected by a router( 10.57.1.253), the pc`s have the 10.57.1.0 255.255.255.0 dir ips with default gateway 10.57.1.250, in that way the pc doesnt how to reach the web aplication(10.240.142.84) cero activity in the log of asdm, so i try with a route in the asa :

route inside 10.240.142.84 255.255.255.255 10.57.1.253 1

with these i get activity in the asdm with a ping from pc:10.57.1.240, show :

Deny inbound icmp src inside 10.57.1.240 dst inside 10.240.142.84 (tyoe:8, code :0)

this is part of my configuration:

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any eq www any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any any

global (outside) 1 X.X.X.X netmask 255.255.255.255

nat (inside) 1 10.57.1.0 255.255.255.0

nat (inside) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 190.144.146.17 2

route inside 10.240.142.84 255.255.255.255 10.57.1.253 1

Plese help!!!!!

Labels:
0 Helpful
3 Replies 3

rush2amol
Level 1
Level 1

‎12-09-2008 10:38 PM

icmp is a seperate protocol so perhaps you should try for

access-list inside_access_in extended permit icmp any any; but i guess this should not affect the access of the webserver from the desktops.

i would recomed you to put the routing on the router than on the firewall, configure the specific subnets on the router pointing to your branches and then a default route in it pointing to the firewall. the desktops would hve the default gateway as the router.

0 Helpful

SOL10
Level 1
Level 1
In response to rush2amol

‎12-10-2008 02:20 AM

hi there

try this:

1) conf t

2) icmp permit (lan ip) (mask) interface inside

HTH

0 Helpful

husycisco
Level 7
Level 7
In response to SOL10

‎12-10-2008 03:59 AM

Hello Andres,

global (outside) 1 X.X.X.X netmask 255.255.255.255

nat (inside) 1 10.57.1.0 255.255.255.0

"nat (inside) 0 0.0.0.0 0.0.0.0 " --> You tell the firewall NOT! to NAT ANY! traffic from inside. This command will make the commands above itself PASSIVE, they will be useless.

I have once made a very detailed explaination about that issue in this forum before,but couldt find it to give a link to you. So I will explain again, less detailed for time sake.

For example, 10.57.1.202 PC wants to connect to 10.240.142.84, so it forwards the request to its gateway 10.57.1.250 the ASA. ASA checks its routing table and sees that it has to forward that packet which came from inside interface, to same interface again. This behaviour is denied by default. First, allow this behaviour by typing "same-security-traffic permit intra-interface"

Now ASA correctly forwarded the packet to 10.57.1.253 with a source IP of 10.57.1.202 in packet. Router receives the packet, delivers to 10.240.142.84 all fine. Now the return traffic that is destined to 10.57.1.202 will depart from the router. BUT! Since router has a "connected route" because of being connected to same segment (10.57.1.0), it will directly send the packet to 10.57.1.202 while it has to send the packet to ASA, then ASA to 10.57.1.202. This is called "assymetrical routing" which results being dropped at clientside, in terms of TCP (ping will work correctly), since the respond doesnt come back from the host (ASA) which is defined in session table waiting for SYN ACK. To correct this issue, you have to PAT traffic as following so the return traffic will always hit ASA

Do the following modifications

access-list PNat permit ip 10.57.1.0 255.255.255.0 10.240.142.0 255.255.255.0

no global (outside) 1 X.X.X.X netmask 255.255.255.255

no nat (inside) 1 10.57.1.0 255.255.255.0

nat (inside) 1 access-list PNat

global (inside) 1 interface

nat (inside) 5 10.57.1.0 255.255.255.0

global (outside) 1 X.X.X.X netmask 255.255.255.255

Remove following, they are useless since traffic from higher security level interface to lower is permitted by default

no access-list inside_access_in extended permit ip any any

no access-list inside_access_in extended permit tcp any any

no access-list inside_access_in extended permit tcp any eq www any

no access-group inside_access_in interface inside

For permtting PINGs, use inspection

policy-map global_policy

class inspection_default

inspect icmp

" nat (DMZ) 0 0.0.0.0 0.0.0.0 " Unless your DMZ interface and clients are placed in public IP range, they wont be able to connect to internet or outside interface with this command. Post here if you are having connectivity issues about your DMZ

Regards

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card