Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
1
Replies

Firewall configuration assistance

cciesec2011
Level 3
Level 3

‎03-28-2010 03:20 PM - edited ‎03-11-2019 10:26 AM

I am seeing this message on my syslog server that I have NO explaination for. 
Perhap someone can point me to the right direction.

hostA---(i)ASAVPN(o)---ASAFW---Internet---VPNc--hostB

I have a site-to-site VPN between hostA and hostB between the ASA and the VPNc.
hostA is 192.168.1.1, ASAVPN inside interface is 192.168.1.254. ASAVPN outside interface
is 10.1.1.1 and the ASAFW internal interface is 10.1.1.254.  here is the configuration on
the ASAFW, VPNc external ip address is 65.198.18.190:

static (i,o) 4.2.2.2 10.1.1.1 netmask 255.255.255.255
access-list FW-out permit icmp VPNc 4.2.2.2 log
access-list FW-out permit udp VPNc 4.2.2.2 eq 500 log
access-list FW-out permit udp VPNc 4.2.2.2 eq 4500 log
access-list FW-out permit esp VPNc 4.2.2.2 log
access-list FW-out deny ip any any log
access-group FW-out in interface outside

on the ASAVPN, this is what I have (relevant configuration):

no nat-control
icmp permit host 10.1.1.254 outside
access-list vpn permit host 192.168.1.1 host 192.168.2.1
isakmp identity address
isakmp nat-traversal 10
crypto isakmp enable
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 set peer VPNc
crypto map vpn 10 set trans 3des
crypto map vpn 10 set pfs group2
crypto map vpn 10 match address vpn
crypto map vpn interface outside

VPNc public interface:  165.10.18.59
VPNc Private interface: 192.168.2.254
hostB:  192.168.2.1

ASA is running version 8.2.1

The site-2-site VPN between the VPNc and the ASAVPN is working fine.  However, I am getting this syslog
message from the ASAVPN on my syslog server:

ASAVPN Mar 25 2010 02:09:39: %ASA-3-313001: Denied
ICMP type=11, code=0 from 152.63.38.173 on interface outside

How does this IP 152.63.38.173 even make it to the ASAVPN device?

Labels:
0 Helpful
1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

‎03-28-2010 03:52 PM

That appears to be ICMP time exceeded message.

May be someone from the inside was trying to do a traceroute to an ip address on the outside and the icmp time exceeded message arriving on the outside interface is being denied.  I am not sure if you have icmp and icmp error inspection enabled. In addition to that you need to allow icmp time exceeded and icmp unreachable on the outside interface.

To uderstand how traceroute works follow this link: http://www.freesoft.org/CIE/Topics/54.htm

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card