Re: ICMP ECHO denied by asa

kolawole1 · ‎10-22-2009

Dear ALL,

i am tying to ping a public ip address from a remote site router but the packet is being denied.Split tunneling is configured on the central site asa so the remote sites can have access to internet through the asa.Here is a copy of the asa the logs on the asa and the remote site router.Please Help.

Kureli Sankar · ‎10-22-2009

Pls. provide us a topology like below and let us know what path these ICMP requests are supposed to take.

ASA(LAN)128.223.125.232----(128.223.125.230)Router

Which IP address are you trying to ping and from where?

The syslogs indicate that the replies from 128.223.125.230 are being dropped.

ICMP type 0 is reply.

Here is the link to the syslog

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771116

Do you know when the requests are sent and when the replies come back?

Captures on the ASA's LAN interface would show this.

cap caplan int LAN match icmp any any

do the ping test

sh cap caplan

Try the following:

conf t

timeout icmp 0:0:4

kolawole1 · ‎10-23-2009

Here is te topology

BranchRTR(inside)131.223.124.230---BranchRTR(outside)196.1.1.4---HQRTR(outside)196.1.1.1---HQRTR(inside)192.168.1.250---ASA(outside)192.168.1.232---ASA(LAN)128.223.125.232---ISA SERVER(128.223.125.111)---INTERNETMODEM

I am trying to ping 81.91.225.18(our isp dns) from the branch router outside interface.Are my access-lists and config OK for the branch to access the internet ?What is wrong ?

Marcus Hunold · ‎10-23-2009

Hi,

1. your log there is no information about icmp packets with the addresses you said.

2. there is no routing for way back on the ASA_AA for your Transfernetwork 196.1.1.0/24 Youd need - route liaison_BLR 196.1.1.0 255.255.255.0 192.168.1.250 -

PS: traceroute is your friend