Can someone help me to understand the log output of my ASA. First let me try to explain the dilemma. I am trying to reach the ASA interface in another DMZ. Let's say that I am in the inside interface and try to reach DMZ100(ping from inside 10.10.10.10 to DMZ100 AT 10.100.1.1). There is what the ASA shows and what I am trying to understand:
1. I have icmp enable in the default inspection rule
6 Nov 25 2010 10:20:56 302021 10.10.10.10 1 10.100.1.1 0 Teardown ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0
And below is the explanation given by the ASA when I hover my mouse over the output
ICMP connection is removed in the fast path when statefull ICMP packet is enabled using ICMP INSPECT COMMAND
ICMP is enable under inspect rule
2. icmp is disable in the inspection rule
policy-map global_policy class inspection_default no inspect icmp
6 Nov 25 2010 10:27:12 302020 10.10.10.10 1 10.100.1.1 0 Built inbound ICMP connection for faddr 10.10.10.10/1 gaddr 10.100.1.1/0 laddr 10.100.1.1/0
ICMP session is established in the fast-path when statefull ICMP packet is enabled using ICMP inspection command
Looking for an explanation for the statements in bold and underlign and both cases the host from inside keep sending request timed out. Ideas and comments to resolved the request time out to reply will be greatly appreciate.
ASA does not support that. You can't ping the cross interface (ie: if you are connected to the inside interface of the ASA, you can't ping the DMZ interface of the ASA). This is not supported by design.
If you are connected to the ASA inside interface, you can only ping the ASA inside interface, and to ping the DMZ interface, you would need to be connected from the DMZ interface of the ASA.
The ICMP inspection is for ICMP traffic through the ASA, ie: a host from inside network tried to ping a host at dmz network.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...