Solved: Re: ICMP being allowed through??

John Blakley · ‎11-06-2008

I can't understand this one. I have a netopia router in front of an ASA. The ASA is getting an address from the provider for the time being, but I can ping that address. In my logs I see where the icmp connection is being built and torn down on the ASA, but it's from a different ip than mine. Is it possible that I'm hitting the netopia router and it's responding for the ASA?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-06-2008

Lets use a bit of inverse logic. On your ASA

asa(config)# icmp deny any outside

Jon

View solution in original post

Jon Marshall · ‎11-06-2008

John

Could you provide a bit of addressing - doesn't have to be the real addressing just use any addressing to give example. Is it

LAN -> ASA -> Netopia router

If so could you provide addressing for interfaces and also where you are pinging from.

What do you mean when you say ASA ia getting address from provider - do you mean DHCP ?

Jon

John Blakley · ‎11-06-2008

It's a pppoe account that's assigned an address. The current layout is

LAN --> ASA --> Netopia --> Cloud

The ASA public is 192.168.1.5

The Netopia is supposedly in bridging mode.

From my box (outside of their network), I can ping 192.168.1.5. In the logs I see:

%ASA-6-302020: Built inbound ICMP connection for faddr 1.1.1.1 (my public)/37737 gaddr

192.168.1.5/0 laddr 192.168.1.5/0

This makes NO sense. I don't have ACLs that are allowing the traffic through, and I was always under the assumption that the public side always dropped any traffic unless explicitly permitted.

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-06-2008

John

Sorry it's been a long day so i may be a bit slow ! You are pinging from another public IP address, nothing to do with the LAN behind the ASA.

If so an acl on the outside interface of the ASA does not control whether you can ping the outside interface but whether ICMP is allowed through.

Look in the ASA config to see if there is a line

icmp permit any outside

Again, apologies if i am still not understanding.

Jon

John Blakley · ‎11-06-2008

It's understandable...it has been a LONG day :-)

I'm pinging from one public to another public (outside interface on ASA). There's no icmp lines on there, and to verify I did the following:

access-list TEST deny icmp any any

access-list TEST permit ip any any

access-group TEST in interface outside

I can still ping with no hits on the acl. I believe the Netopia is answering for the request.

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-06-2008

Okay i need some sleep :-)

I'm pinging from one public to another public (outside interface of ASA) - yes but where from a topology point of view is the other public IP ie. the public IP that is not the outside interface of the ASA ?

Jon

John Blakley · ‎11-06-2008

It's in another state :o)

It connects to us through easyvpn. I thought that was the problem, so I remoted into one of my laptops at my house, and I could ping it from there too. The ASA is just another device out on the internet. Does that help? It really makes no sense, and it's frustrating me. :-) I don't get frustrated easily.... LOL

--John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-06-2008

Lets use a bit of inverse logic. On your ASA

asa(config)# icmp deny any outside

Jon

John Blakley · ‎11-06-2008

LOL! That worked :-) Now, why won't my acl block it?? It wasn't even touching my acl.

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎11-06-2008

John

Think we have both had it today.

Your acl has no effect on ICMP traffic going to an interface on the ASA. An acl only effects ICMP traffic (and all other traffic) going through the ASA from one side to another.

Default must be to allow icmp but to all interfaces but it didn't used to be.

Jon

John Blakley · ‎11-06-2008

Thanks Jon!

HTH, John *** Please rate all useful posts ***