Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
8
Helpful
2
Replies

ICMP not working thru Firewall

Kevin Melton
Level 2
Level 2

‎05-12-2010 06:25 PM - edited ‎03-11-2019 10:44 AM

Hello Community

While working at a customer site today, we opened up another interface on our ASA here and named the interface WAN.  The WAN interface has a security level of 30.

Currently we have a 3750 switch connected to the WAN interface with a management address of 192.168.36.5.  The IP address of the WAN interface on the ASA is 192.168.36.1.  I can ping from the ASA to the Cisco 3750 successfully.

EIGRP is running on both the 3750 switch and on the ASA.

I have another Switch on the inside interface of the ASA.  I know that this switch knows about the 192.168.36.0 network because when I perform a "sho ip route 192.168.36.0" i get the following output:

Routing entry for 192.168.36.0/24
  Known via "eigrp 13", distance 90, metric 3072, type internal
  Redistributing via eigrp 13
  Last update from 172.16.132.1 on Vlan99, 03:11:21 ago
  Routing Descriptor Blocks:
  * 172.16.132.1, from 172.16.132.1, 03:11:21 ago, via Vlan99
      Route metric is 3072, traffic share count is 1
      Total delay is 20 microseconds, minimum bandwidth is 1000000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
So we know that the inside interface of the ASA is sending updates for 192.168.36.0 to the Switch on the inside.

I set up a packet capture looking for ICMP packets on the inside interface of the ASA and tried the ping to the switch @ 192.168..36.5 off the WAN interface.  I see the echo request go out but do not see replies.

I moved the packet capture to the WAN interface, but I do not see any ping packets when pinging here.

Seems that for some reason, the ASA allows the ICMP in on the Inside Interface, but does not send them across the WAN interface.

What could be the reason for this?

Thanks

Kevin

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎05-12-2010 07:07 PM

Kevin

Presumably the security level of inside interface is 0 ?

How have you enabled the firewall to allow ICMP ?

Do you have an acl either inbound on the inside interface or outbound on the new WAN interface.

Can you post route table for ASA

Jon

Joe B Danford
Cisco Employee
Cisco Employee

‎05-12-2010 07:48 PM

Kevin,

You can also take a look at this documents on how the PIX/ASA handles ICMP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Try enabling logging to the buffer also to see if there are any related messages when you see the ping failures.

logging bufffered 6

logging on

Start your ping traffic and issue a "show log." Also you can do "debug icmp trace" to see how the ASA is handling the ICMP packets

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card