Attempting to allow ICMP to my outside interface from anywher...although I seem to be unable to do-so.
Getting this in the logs:
3 Oct 07 2010 13:03:45 IKE Initiator unable to find policy: Intf outside, Src: 188.8.131.52, Dst: 184.108.40.206
3 Oct 07 2010 13:03:45 220.127.116.11 Denied ICMP type=8, code=0 from 18.104.22.168 on interface outside
I have 'icmp permit any outside' in my config as well.
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(4)
Can someone help me out?
Make sure you have the ACL open and that your natting is correct. You would need a static nat for 22.214.171.124 on the outside or no nat at all.
Also make sure the outside doesn't have the same security level than the inside.
I hope it helps.
Which ACL? There aren't any applied to the outside interface at this point. Outside Security: 0 Inside Security: 100.
Why would I need NAT on the oustide for the source IP if I was just pinging it? Like I said this is 1 out of 3 ASA's giving me problems. The others have NAT statements but not explicitly for the source IP. The packets get there but are denied for whatever reason. On the working ASA's I can't see any difference in regards to the outside interface and pinging.
No. But I haven't done that on my other 2 ASA's and I am able to ping external (outside) interface without fail on those 2.
Firewall in question:
FW-A# show run .....
set connection advanced-options allow_76-78
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
set connection decrement-ttl
inspect icmp is only for "THROUGH" the box icmp and not "TO" the box icmp.
You do not need to enable inspect icmp just to be able to ping the outside interface IP.You don't even need "icmp permit any outside" by default the ASA allows and responds to pings.
Is 126.96.36.199 this the outside interface IP address?
If so the syslog is misleading. type=8, code=0 is an ICMP request - no doubt.
Are you trying ping the outside interface IP address from a host on the inside?
If so you cannot do that. You can only manage/ping the interface that is close to the host/client.
Thanks for clearing the 'through' and 'to' icmp requests. I wasn't clear on whether I actually needed those or not.
188.8.131.52 is my public IP...184.108.40.206 is public IP of ASA in colo. I am trying to ping from my office to the outside interface of my ASA in a colo, same ASA I have s2s tunnel with (shouldnt matter).
Just for shits and gig's I added my public IP to manage via SSH and I get this in the logs:
6 Oct 07 2010 13:49:12 220.127.116.11 4586 18.104.22.168 22 Deny TCP (no connection) from 22.214.171.124/4586 to 126.96.36.199/22 flags RST ACK on interface outside
I believe you may need "management-access outisde" or "management-access inside" depending on which interface you like to ping and manage via ssh.
Issue turned out being dynamic crypto map misconfigured....
It was matching a map that had a permit ip any any in it which caused the ASA to attempt to encrypt all the traffic it saw, even if it was a ping or ssh attempt from outside.
Try look this document "http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml".
First IKE message can indicate some problem with tunnel, although "icmp permit any outside" should be work if don't have any special setup police.
Hope help you