Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
4
Replies

Asa 5510 - additional outside /27 address block. No icmp into it.

DjDamo
Level 1
Level 1

‎04-02-2014 06:07 AM - edited ‎03-11-2019 09:01 PM

Hi all.... hoping an easy answer to this one.  I have seen a few views that don't help me.  I have just migrated a Watchguard X seres to an Asa 5510.  I have a 2811 in front of it to handle the Bgp peering previously handled by the WG.  All is well.  There are several public facing services behind the Asa hence the additional /27.  The ouside interface of the Asa is one half of another /30.  I defined all the /27 ddresses as objects and used them ok in access and nat rules.  The public services are ok and I can get out to the internet from Dmz and Inside networks.

 I have just realised that my externally hosted monitoring service that polls (pings mostly) the public servers (the servers responding to the /27 addresses) isn't working.  I cant ping any of the /27 addresses from outside.  I can ping the outside interface /30 address.  There is an access-l rule any any for icmp - in on the outside interface.

I am missing something simple right?

Cheers

Damien.

 

Labels:
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎04-02-2014 11:14 AM

Is there by chance a firewall on your internal resources that are natted to the public IPs that would prevent ICMP?

0 Helpful

DjDamo
Level 1
Level 1
In response to jj27

‎04-02-2014 07:56 PM

No.... some more detail in response above.  The issue is icmp to the /27 public addresses from the internet.  Can get to any natted service just no icmp.

 

DA

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2014 12:34 PM

Damien

Another possible cause is if you have an acl applied to the inside interface that might be blocking the return ICMP packets.

If you are using ICMP inspection you should be fine but if not you would need to modify the inside acl.

Jon

0 Helpful

DjDamo
Level 1
Level 1
In response to Jon Marshall

‎04-02-2014 07:55 PM

Jon, no Acls on inside interface.  But the issue unrelated to the inside.  I cant ping these public addreses from the internet. Yet I can ping the xternal interface /30 address from the internet ok.  I can also get to the natted services that are using the /27 addresses, just no icmp!  There is an any-any in rule on outside for icmp.

I am thinking the way I have used the /27 addresses must be incorrect.  Struggling to find any doco though.

Damien.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card