Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ICMP ECHO denied by asa

Dear ALL,

i am tying to ping a public ip address from a remote site router but the packet is being denied.Split tunneling is configured on the central site asa so the remote sites can have access to internet through the asa.Here is a copy of the asa the logs on the asa and the remote site router.Please Help.

3 REPLIES
Cisco Employee

Re: ICMP ECHO denied by asa

Pls. provide us a topology like below and let us know what path these ICMP requests are supposed to take.

ASA(LAN)128.223.125.232----(128.223.125.230)Router

Which IP address are you trying to ping and from where?

The syslogs indicate that the replies from 128.223.125.230 are being dropped.

ICMP type 0 is reply.

Here is the link to the syslog

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771116

Do you know when the requests are sent and when the replies come back?

Captures on the ASA's LAN interface would show this.

cap caplan int LAN match icmp any any

do the ping test

sh cap caplan

Try the following:

conf t

timeout icmp 0:0:4

New Member

Re: ICMP ECHO denied by asa

Here is te topology

BranchRTR(inside)131.223.124.230---BranchRTR(outside)196.1.1.4---HQRTR(outside)196.1.1.1---HQRTR(inside)192.168.1.250---ASA(outside)192.168.1.232---ASA(LAN)128.223.125.232---ISA SERVER(128.223.125.111)---INTERNETMODEM

I am trying to ping 81.91.225.18(our isp dns) from the branch router outside interface.Are my access-lists and config OK for the branch to access the internet ?What is wrong ?

New Member

Re: ICMP ECHO denied by asa

Hi,

1. your log there is no information about icmp packets with the addresses you said.

2. there is no routing for way back on the ASA_AA for your Transfernetwork 196.1.1.0/24 Youd need - route liaison_BLR 196.1.1.0 255.255.255.0 192.168.1.250 -

PS: traceroute is your friend

154
Views
0
Helpful
3
Replies
CreatePlease to create content