Solved: Cisco ASA Issue

James Hoggard · ‎10-10-2013

Hi Guys,

I have a cisco 5510 all working well with full internet access. My only problem is i'm unable to ping the internet from the ASA itself i can fron behind on the LAN. when checking the logs i see the following.

3

Oct 10 2013

16:11:43

8.8.8.8

Denied ICMP type=0, code=0 from 8.8.8.8 on interface outside

I have checked my access list and cannot see any deny rules.

abit confused to how this can happen as i say i can ping the internet from the LAN no problem.

any help would be great.

Thanks.

Jouni Forss · ‎10-10-2013

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

View solution in original post

Jouni Forss · ‎10-10-2013

Hi,

Doing the ICMP from the ASA itself follows different rules than the traffic going through the ASA

Check the output of this command

show run icmp

Check that there is no "deny" rules present.

Or you could simply try adding

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

Hope this helps

- Jouni

James Hoggard · ‎10-10-2013

l# show run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit host **.**.**.** outside

icmp permit host 192.168.1.10 management

i then added in icmp permit any echo-reply outside

This resolved the issue striaght away.

By default is this feature turned off so i have to use this command all the time?

Thanks for you help anyway

quick response and straight to the point. Like it!

Jouni Forss · ‎10-10-2013

Hi,

Cisco documentation says

The default behavior of the adaptive security appliance is to allow all ICMP traffic to the adaptive security appliance interfaces.

I think without any "icmp" commands defined anyone can ICMP the "outside" interface. It might be that if you ICMP from the ASA directly that you have to allow the Echo Reply as you are the one generating the initial ICMP Echo and the ICMP Echo reply is coming towards the "outside" interface. So by default I think ASA replys to ICMP Echo but the Echo reply for the ICMP Echo that the ASA generated doesnt go through without an "icmp" configuration.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

rizwanr74 · ‎10-10-2013

Hi James,

Have you applied icmp inspection in the global policy?

policy-map global_policy

class inspection_default

inspect icmp

Let me know please if this helps.

thanks

Rizwan Rafeek.

Jouni Forss · ‎10-10-2013

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

James Hoggard · ‎10-10-2013

Thanks you the update.

Another quick question on the cisco 5505 and 5520 what is the best way of web filtering? will an need any additional hardware?

Thanks