Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12618
Views
0
Helpful
4
Replies

ICMP through an ASA running 8.4

munroe1234
Level 1
Level 1

‎01-17-2012 11:56 AM - edited ‎03-11-2019 03:15 PM

I have a one-to-one NAT configured (mail <-> xenon), however, I am unable to configure ICMP to respond on the external IP of the NAT.  Below is my config, there is extra ICMP cruft that I have been trying that is probably not necessary, but any help with this problem would be helpful

# sho run

                ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa# sho run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password psKHILtBkc/R7/X9 encrypted

passwd psKHILtBkc/R7/X9 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

speed 100

duplex full 

!            

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.124 255.255.255.248

!

boot system disk0:/asa842-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network mail

host xxx.xxx.xxx.125

object network xenon

host 192.168.90.252

object network public

host xxx.xxx.xxx.126

object network helium

host 192.168.90.249

access-list outside_access_in extended permit tcp any object xenon eq www

access-list outside_access_in extended permit tcp any object xenon eq https

access-list outside_access_in extended permit tcp any object xenon eq 587

access-list outside_access_in extended permit tcp any object xenon eq smtp

access-list outside_access_in extended permit tcp any object xenon eq 993

access-list outside_access_in extended permit tcp any object xenon eq 5666

access-list outside_access_in extended permit tcp any object xenon eq ssh

access-list outside_access_in extended permit tcp any object helium eq https

access-list outside_access_in extended permit icmp any object xenon echo-reply

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any object xenon echo

access-list wccp_redirect extended deny ip host 192.168.90.11 any

access-list wccp_redirect extended permit tcp 192.168.90.0 255.255.255.0 any eq www log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo inside

icmp permit any outside

icmp permit any echo outside

icmp permit any echo-reply outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network xenon

nat (inside,outside) static mail

object network helium

nat (inside,outside) static public

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

wccp web-cache

wccp interface inside web-cache redirect in

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-17-2012 12:15 PM

Hello Munroe,

Add the following command:

-Fixup protocol ICMP

Please provide the following output:

packet-tracer input outside icmp 4.2.2.2 8 0 mail_ip

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

munroe1234
Level 1
Level 1
In response to Julio Carvajal

‎01-17-2012 12:20 PM

# fixup protocol icmp

INFO: converting 'fixup protocol icmp ' to MPF commands

ciscoasa# packet-tracer input outside icmp 4.2.2.2 8 0 xxx.xxx.xxx.125

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network xenon

nat (inside,outside) static mail

Additional Information:

NAT divert to egress interface inside

Untranslate xxx.xxx.xxx.125/0 to 192.168.90.252/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Phase: 9

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2298729, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ciscoasa#

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to munroe1234

‎01-17-2012 12:51 PM

Hello Munroe,

The Packet tracer shows that everything is allowed, please let me know if its working or if we need to do further investigation ( Next thing would be captures)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Julio Carvajal

‎01-18-2012 04:04 AM

Hi,

Is this ASA configured for some companys production environment or test purposes?

Just wondering if the server has default GW set in its configurations? This would explain a situation where it replies to ICMP directly from ASA but not from Internet (because ICMP is not coming from a connected network of the server) Though you didnt say does it respond to ICMP from the local network of 192.168.90.0/24

Just thought I'd ask as Julio said, there packet tracer goes through fine.

Also is there anything on server that might block the ICMP echos?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card