×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ICMP through an ASA running 8.4

Unanswered Question
Jan 17th, 2012
User Badges:

I have a one-to-one NAT configured (mail <-> xenon), however, I am unable to configure ICMP to respond on the external IP of the NAT.  Below is my config, there is extra ICMP cruft that I have been trying that is probably not necessary, but any help with this problem would be helpful


# sho run

                ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa# sho run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password psKHILtBkc/R7/X9 encrypted

passwd psKHILtBkc/R7/X9 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

speed 100

duplex full 

!            

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.124 255.255.255.248

!

boot system disk0:/asa842-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network mail

host xxx.xxx.xxx.125

object network xenon

host 192.168.90.252

object network public

host xxx.xxx.xxx.126

object network helium

host 192.168.90.249

access-list outside_access_in extended permit tcp any object xenon eq www

access-list outside_access_in extended permit tcp any object xenon eq https

access-list outside_access_in extended permit tcp any object xenon eq 587

access-list outside_access_in extended permit tcp any object xenon eq smtp

access-list outside_access_in extended permit tcp any object xenon eq 993

access-list outside_access_in extended permit tcp any object xenon eq 5666

access-list outside_access_in extended permit tcp any object xenon eq ssh

access-list outside_access_in extended permit tcp any object helium eq https

access-list outside_access_in extended permit icmp any object xenon echo-reply

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any object xenon echo

access-list wccp_redirect extended deny ip host 192.168.90.11 any

access-list wccp_redirect extended permit tcp 192.168.90.0 255.255.255.0 any eq www log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo inside

icmp permit any outside

icmp permit any echo outside

icmp permit any echo-reply outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network xenon

nat (inside,outside) static mail

object network helium

nat (inside,outside) static public

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL


wccp web-cache

wccp interface inside web-cache redirect in

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Tue, 01/17/2012 - 12:15
User Badges:
  • Purple, 4500 points or more

Hello Munroe,


Add the following command:

-Fixup protocol ICMP


Please provide the following output:

packet-tracer input outside icmp 4.2.2.2 8 0 mail_ip


Regards,


Julio

munroe1234 Tue, 01/17/2012 - 12:20
User Badges:

# fixup protocol icmp

INFO: converting 'fixup protocol icmp ' to MPF commands



ciscoasa# packet-tracer input outside icmp 4.2.2.2 8 0 xxx.xxx.xxx.125


Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list



Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network xenon

nat (inside,outside) static mail

Additional Information:

NAT divert to egress interface inside

Untranslate xxx.xxx.xxx.125/0 to 192.168.90.252/0



Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo

Additional Information:



Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:


Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:



Phase: 7

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:



Phase: 9

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2298729, packet dispatched to next module



Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow



ciscoasa#

Julio Carvajal Tue, 01/17/2012 - 12:51
User Badges:
  • Purple, 4500 points or more

Hello Munroe,


The Packet tracer shows that everything is allowed, please let me know if its working or if we need to do further investigation ( Next thing would be captures)


Regards,


Julio

Jouni Forss Wed, 01/18/2012 - 04:04
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Is this ASA configured for some companys production environment or test purposes?


Just wondering if the server has default GW set in its configurations? This would explain a situation where it replies to ICMP directly from ASA but not from Internet (because ICMP is not coming from a connected network of the server) Though you didnt say does it respond to ICMP from the local network of 192.168.90.0/24


Just thought I'd ask as Julio said, there packet tracer goes through fine.


Also is there anything on server that might block the ICMP echos?


- Jouni

Actions

This Discussion

Related Content