Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FW log clarifications

Hi all Expert,

                      Can someone help me to understand the log output of my ASA.  First let me try to explain the dilemma. I am trying to reach the ASA interface in another DMZ. Let's say that I am in the inside interface and try to reach DMZ100(ping from inside to DMZ100 AT There is what the ASA shows and what I am trying to understand:

1. I have icmp enable in the default inspection rule

6 Nov 25 2010 10:20:56 302021 1 0 Teardown ICMP connection for faddr gaddr laddr

And below is the explanation given by the ASA when I hover my mouse over the output

ICMP connection is removed in the fast path when statefull ICMP packet is enabled using ICMP INSPECT COMMAND

ICMP is enable under inspect rule

2. icmp is disable in the inspection rule

policy-map global_policy
        class inspection_default
          no inspect icmp

6 Nov 25 2010 10:27:12 302020 1 0 Built inbound ICMP connection for faddr gaddr laddr

ICMP session is established in the fast-path when statefull ICMP packet is enabled using ICMP inspection command

Looking for an explanation for the statements in bold and underlign and both cases the host from inside keep sending request timed out. Ideas and comments to resolved the request time out to reply will be greatly appreciate.

Thanks a lot,

Jean Paul

Cisco Employee

Re: FW log clarifications

ASA does not support that. You can't ping the cross interface (ie: if you are connected to the inside interface of the ASA, you can't ping the DMZ interface of the ASA). This is not supported by design.

If you are connected to the ASA inside interface, you can only ping the ASA inside interface, and to ping the DMZ interface, you would need to be connected from the DMZ interface of the ASA.

The ICMP inspection is for ICMP traffic through the ASA, ie: a host from inside network tried to ping a host at dmz network.

Hope that helps.

CreatePlease to create content