Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
2
Replies

Can't ping through Firewall

simonxiang
Level 1
Level 1

‎05-28-2015 08:34 PM - edited ‎03-11-2019 11:01 PM

I'm labbing with 2 ASAs and having problem pinging from "host" to "ISP-1" and "ISP-2"

 

Failover on the ASAs.  I can reach ISPs from ASA itself,  but not from the host.   icmp are allowed on the ASAs inbound and outbound.

------------------------------------------------------------------------------

access-list OUTBOUND_TRAFFIC extended permit icmp any any echo
access-list OUTBOUND_TRAFFIC extended permit icmp any any echo-reply
access-list INBOUND_TRAFFIC extended permit icmp any any echo
access-list INBOUND_TRAFFIC extended permit icmp any any echo-reply
access-list INBOUND_TRAFFIC extended permit icmp any any unreachable
access-list INBOUND_TRAFFIC extended permit icmp any any time-exceeded

------------------------------------------------------------------------------

 

 

on the Host node, I have its default-gateway as ASA's inside interface.

 

this is debug ip packet detail on the Host node:

 

------------------------------------------------------------------------------

Router#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

*May 29 03:13:08.665: FIBipv4-packet-proc: route packet from (local) src 1.0.0.5 dst 10.0.0.1
*May 29 03:13:08.665: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 1.0.0.1
*May 29 03:13:08.666: FIBipv4-packet-proc: packet routing succeeded
*May 29 03:13:08.666: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending
*May 29 03:13:08.666:     ICMP type=8, code=0
*May 29 03:13:08.667: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending full packet
*May 29 03:13:08.667:     ICMP type=8, code=0.
*May 29 03:13:10.665: FIBipv4-packet-proc: route packet from (local) src 1.0.0.5 dst 10.0.0.1
*May 29 03:13:10.665: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 1.0.0.1
*May 29 03:13:10.666: FIBipv4-packet-proc: packet routing succeeded
*May 29 03:13:10.666: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending
*May 29 03:13:10.666:     ICMP type=8, code=0
*May 29 03:13:10.667: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending full packet
*May 29 03:13:10.667:     ICMP type=8, code=0.
*May 29 03:13:12.665: FIBipv4-packet-proc: route packet from (local) src 1.0.0.5 dst 10.0.0.1
*May 29 03:13:12.666: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 1.0.0.1
*May 29 03:13:12.666: FIBipv4-packet-proc: packet routing succeeded
*May 29 03:13:12.666: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending
*May 29 03:13:12.667:     ICMP type=8, code=0
*May 29 03:13:12.668: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending full packet
*May 29 03:13:12.669:     ICMP type=8, code=0.
*May 29 03:13:14.665: FIBipv4-packet-proc: route packet from (local) src 1.0.0.5 dst 10.0.0.1
*May 29 03:13:14.666: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 1.0.0.1
*May 29 03:13:14.666: FIBipv4-packet-proc: packet routing succeeded
*May 29 03:13:14.666: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending
*May 29 03:13:14.666:     ICMP type=8, code=0
*May 29 03:13:14.667: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending full packet
*May 29 03:13:14.667:     ICMP type=8, code=0.
*May 29 03:13:16.665: FIBipv4-packet-proc: route packet from (local) src 1.0.0.5 dst 10.0.0.1
*May 29 03:13:16.665: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 1.0.0.1
*May 29 03:13:16.666: FIBipv4-packet-proc: packet routing succeeded
*May 29 03:13:16.666: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending
*May 29 03:13:16.666:     ICMP type=8, code=0
*May 29 03:13:16.667: IP: s=1.0.0.5 (local), d=10.0.0.1 (GigabitEthernet0/1), len 100, sending full packet
*May 29 03:13:16.667:     ICMP type=8, code=0.
Success rate is 0 percent (0/5)

------------------------------------------------------------------------------

 

 

when I do packet tracer on the ASA, everything shows ALLOWED:

packet-tracer input inside icmp 1.0.0.5 8 0 10.0.0.1

1.0.0.5 (host)

10.0.0.1 (ISP-1)

 

 

I'm using VIRL for labbing.

 

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎05-28-2015 11:46 PM

Have you enabled ICMP-inspection?

fixup protocol icmp

With that you don't need the ACEs for the return-traffic. But that's probably not the problem.

On the ISP-router, you can do a "debup ip icmp" to see if the pings reach the ISP-router.

0 Helpful

simonxiang
Level 1
Level 1
In response to Karsten Iwen

‎05-29-2015 06:18 AM

Sorry forgot to mention "inspect icmp" is on

 

i haven't tried debug on the ISP side. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card