Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA Issue

Hi Guys,

I have a cisco 5510 all working well with full internet access. My only problem is i'm unable to ping the internet from the ASA itself i can fron behind on the LAN. when checking the logs i see the following.

3Oct 10 201316:11:43
8.8.8.8


Denied ICMP type=0, code=0 from 8.8.8.8 on interface outside

I have checked my access list and cannot see any deny rules.

abit confused to how this can happen as i say i can ping the internet from the LAN no problem.

any help would be great.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Cisco ASA Issue

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

6 REPLIES
Super Bronze

Cisco ASA Issue

Hi,

Doing the ICMP from the ASA itself follows different rules than the traffic going through the ASA

Check the output of this command

show run icmp

Check that there is no "deny" rules present.

Or you could simply try adding

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

Hope this helps

- Jouni

Community Member

Cisco ASA Issue

l# show run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit host **.**.**.** outside

icmp permit host 192.168.1.10 management

i then added in icmp permit any echo-reply outside

This resolved the issue striaght away.

By default is this feature turned off so i have to use this command all the time?

Thanks for you help anyway

quick response and straight to the point. Like it!

Super Bronze

Cisco ASA Issue

Hi,

Cisco documentation says

The default behavior of the adaptive security appliance is to allow all ICMP traffic to the adaptive security appliance interfaces.

I think without any "icmp" commands defined anyone can ICMP the "outside" interface. It might be that if you ICMP from the ASA directly that you have to allow the Echo Reply as you are the one generating the initial ICMP Echo and the ICMP Echo reply is coming towards the "outside" interface. So by default I think ASA replys to ICMP Echo but the Echo reply for the ICMP Echo that the ASA generated doesnt go through without an "icmp" configuration.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Cisco ASA Issue

Hi James,

Have you applied icmp inspection in the global policy?

policy-map global_policy

class inspection_default 

  inspect icmp

Let me know please if this helps.

thanks

Rizwan Rafeek.

Super Bronze

Cisco ASA Issue

Hi,

He already told it works with the interface specific "icmp" command though.

ICMP Inspection only applies to traffic through the ASA not from and to the ASA to my understanding. Not 100% sure without checking.

- Jouni

Community Member

Cisco ASA Issue

Thanks you the update.

Another quick question on the cisco 5505 and 5520 what is the best way of web filtering? will an need any additional hardware?

Thanks

240
Views
0
Helpful
6
Replies
CreatePlease to create content