ICMP not working thru Firewall

Unanswered Question
May 12th, 2010

Hello Community

While working at a customer site today, we opened up another interface on our ASA here and named the interface WAN.  The WAN interface has a security level of 30.

Currently we have a 3750 switch connected to the WAN interface with a management address of 192.168.36.5.  The IP address of the WAN interface on the ASA is 192.168.36.1.  I can ping from the ASA to the Cisco 3750 successfully.

EIGRP is running on both the 3750 switch and on the ASA.

I have another Switch on the inside interface of the ASA.  I know that this switch knows about the 192.168.36.0 network because when I perform a "sho ip route 192.168.36.0" i get the following output:

Routing entry for 192.168.36.0/24
  Known via "eigrp 13", distance 90, metric 3072, type internal
  Redistributing via eigrp 13
  Last update from 172.16.132.1 on Vlan99, 03:11:21 ago
  Routing Descriptor Blocks:
  * 172.16.132.1, from 172.16.132.1, 03:11:21 ago, via Vlan99
      Route metric is 3072, traffic share count is 1
      Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
So we know that the inside interface of the ASA is sending updates for 192.168.36.0 to the Switch on the inside.

I set up a packet capture looking for ICMP packets on the inside interface of the ASA and tried the ping to the switch @ 192.168..36.5 off the WAN interface.  I see the echo request go out but do not see replies.

I moved the packet capture to the WAN interface, but I do not see any ping packets when pinging here.

Seems that for some reason, the ASA allows the ICMP in on the Inside Interface, but does not send them across the WAN interface.

What could be the reason for this?

Thanks

Kevin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Wed, 05/12/2010 - 19:07

Kevin

Presumably the security level of inside interface is 0 ?

How have you enabled the firewall to allow ICMP ?

Do you have an acl either inbound on the inside interface or outbound on the new WAN interface.

Can you post route table for ASA

Jon

Joe B Danford Wed, 05/12/2010 - 19:48

Kevin,

You can also take a look at this documents on how the PIX/ASA handles ICMP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Try enabling logging to the buffer also to see if there are any related messages when you see the ping failures.

logging bufffered 6

logging on

Start your ping traffic and issue a "show log." Also you can do "debug icmp trace" to see how the ASA is handling the ICMP packets

Actions

This Discussion