Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with ASA 5510 and 8.3

Attempting to allow ICMP to my outside interface from anywher...although I seem to be unable to do-so.

Getting this in the logs:

3    Oct 07 2010    13:03:45                        IKE Initiator unable to find policy: Intf outside, Src: 99.55.44.86, Dst: 73.82.134.12

3    Oct 07 2010    13:03:45        73.82.134.12                Denied ICMP type=8, code=0 from 73.82.134.12 on interface outside

I have 'icmp permit any outside' in my config as well.

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(4)

Can someone help me out?

  • Firewalling
9 REPLIES
Cisco Employee

Re: Help with ASA 5510 and 8.3

Make sure you have the ACL open and that your natting is correct. You would need a static nat for 73.82.134.12 on the outside or no nat at all.

Also make sure the outside doesn't have the same security level than the inside.

I hope it helps.

PK

New Member

Re: Help with ASA 5510 and 8.3

Which ACL? There aren't any applied to the outside interface at this point.  Outside Security: 0 Inside Security: 100.

Why would I need NAT on the oustide for the source IP if I was just pinging it?  Like I said this is 1 out of 3 ASA's giving me problems.  The others have NAT statements but not explicitly for the source IP.  The packets get there but are denied for whatever reason.  On the working ASA's I can't see any difference in regards to the outside interface and pinging.

New Member

Re: Help with ASA 5510 and 8.3

Hi,

Have you enabled the policy-map to inspect icmp?

policy-map global_policy
class inspection_default
  inspect icmp

New Member

Re: Help with ASA 5510 and 8.3

No.  But I haven't done that on my other 2 ASA's and I am able to ping external (outside) interface without fail on those 2.

Firewall in question:

FW-A# show run .....
policy-map global_policy
description tcp-traffic
class tcp-traffic
  set connection advanced-options allow_76-78
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
class ttl-class
  set connection decrement-ttl

Cisco Employee

Re: Help with ASA 5510 and 8.3

inspect icmp is only for "THROUGH" the box icmp and not "TO" the box icmp.

You do not need to enable inspect icmp just to be able to ping the outside interface IP.You don't even need "icmp permit any outside" by default the ASA allows and responds to pings.

Is 73.82.134.12 this the outside interface IP address?

If so the syslog is misleading. type=8, code=0 is an ICMP request - no doubt.

Are you trying ping the outside interface IP address from a host on the inside?

If so you cannot do that.  You can only manage/ping the interface that is close to the host/client.

-KS

New Member

Re: Help with ASA 5510 and 8.3

Thanks for clearing the 'through' and 'to' icmp requests.  I wasn't clear on whether I actually needed those or not.

73.82.134.12 is my public IP...99.55.44.86 is public IP of ASA in colo.  I am trying to ping from my office to the outside interface of my ASA in a colo, same ASA I have s2s tunnel with (shouldnt matter).

Just for shits and gig's I added my public IP to manage via SSH and I get this in the logs:

6    Oct 07 2010    13:49:12        73.82.134.12    4586    99.55.44.86    22    Deny TCP (no connection) from 73.82.134.12/4586 to 99.55.44.86/22 flags RST ACK  on interface outside

Cisco Employee

Re: Help with ASA 5510 and 8.3

I believe you may need "management-access outisde" or "management-access inside" depending on which interface you like to ping and manage via ssh.

-KS

New Member

Re: Help with ASA 5510 and 8.3

Issue turned out being dynamic crypto map misconfigured....

It was matching a map that had a permit ip any any in it which caused the ASA to attempt to encrypt all the traffic it saw, even if it was a ping or ssh attempt from outside.

New Member

Re: Help with ASA 5510 and 8.3

Hi,

Try look this document "http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml".

First IKE message can indicate some problem with tunnel, although "icmp permit any outside" should be work if don't have any special setup police.

Hope help you

Robertson

1043
Views
5
Helpful
9
Replies
This widget could not be displayed.