cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1263
Views
5
Helpful
9
Replies

Help with ASA 5510 and 8.3

the-lebowski
Level 4
Level 4

Attempting to allow ICMP to my outside interface from anywher...although I seem to be unable to do-so.

Getting this in the logs:

3    Oct 07 2010    13:03:45                        IKE Initiator unable to find policy: Intf outside, Src: 99.55.44.86, Dst: 73.82.134.12

3    Oct 07 2010    13:03:45        73.82.134.12                Denied ICMP type=8, code=0 from 73.82.134.12 on interface outside

I have 'icmp permit any outside' in my config as well.

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(4)

Can someone help me out?

9 Replies 9

Panos Kampanakis
Cisco Employee
Cisco Employee

Make sure you have the ACL open and that your natting is correct. You would need a static nat for 73.82.134.12 on the outside or no nat at all.

Also make sure the outside doesn't have the same security level than the inside.

I hope it helps.

PK

Which ACL? There aren't any applied to the outside interface at this point.  Outside Security: 0 Inside Security: 100.

Why would I need NAT on the oustide for the source IP if I was just pinging it?  Like I said this is 1 out of 3 ASA's giving me problems.  The others have NAT statements but not explicitly for the source IP.  The packets get there but are denied for whatever reason.  On the working ASA's I can't see any difference in regards to the outside interface and pinging.

Farrukh Salim
Level 1
Level 1

Hi,

Have you enabled the policy-map to inspect icmp?

policy-map global_policy
class inspection_default
  inspect icmp

No.  But I haven't done that on my other 2 ASA's and I am able to ping external (outside) interface without fail on those 2.

Firewall in question:

FW-A# show run .....
policy-map global_policy
description tcp-traffic
class tcp-traffic
  set connection advanced-options allow_76-78
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
class ttl-class
  set connection decrement-ttl

inspect icmp is only for "THROUGH" the box icmp and not "TO" the box icmp.

You do not need to enable inspect icmp just to be able to ping the outside interface IP.You don't even need "icmp permit any outside" by default the ASA allows and responds to pings.

Is 73.82.134.12 this the outside interface IP address?

If so the syslog is misleading. type=8, code=0 is an ICMP request - no doubt.

Are you trying ping the outside interface IP address from a host on the inside?

If so you cannot do that.  You can only manage/ping the interface that is close to the host/client.

-KS

Thanks for clearing the 'through' and 'to' icmp requests.  I wasn't clear on whether I actually needed those or not.

73.82.134.12 is my public IP...99.55.44.86 is public IP of ASA in colo.  I am trying to ping from my office to the outside interface of my ASA in a colo, same ASA I have s2s tunnel with (shouldnt matter).

Just for shits and gig's I added my public IP to manage via SSH and I get this in the logs:

6    Oct 07 2010    13:49:12        73.82.134.12    4586    99.55.44.86    22    Deny TCP (no connection) from 73.82.134.12/4586 to 99.55.44.86/22 flags RST ACK  on interface outside

I believe you may need "management-access outisde" or "management-access inside" depending on which interface you like to ping and manage via ssh.

-KS

Issue turned out being dynamic crypto map misconfigured....

It was matching a map that had a permit ip any any in it which caused the ASA to attempt to encrypt all the traffic it saw, even if it was a ping or ssh attempt from outside.

robertson.dias
Level 1
Level 1

Hi,

Try look this document "http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml".

First IKE message can indicate some problem with tunnel, although "icmp permit any outside" should be work if don't have any special setup police.

Hope help you

Robertson

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: