Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ICMP through an ASA running 8.4

I have a one-to-one NAT configured (mail <-> xenon), however, I am unable to configure ICMP to respond on the external IP of the NAT.  Below is my config, there is extra ICMP cruft that I have been trying that is probably not necessary, but any help with this problem would be helpful

# sho run

                ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa# sho run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password psKHILtBkc/R7/X9 encrypted

passwd psKHILtBkc/R7/X9 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

speed 100

duplex full 

!            

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.124 255.255.255.248

!

boot system disk0:/asa842-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network mail

host xxx.xxx.xxx.125

object network xenon

host 192.168.90.252

object network public

host xxx.xxx.xxx.126

object network helium

host 192.168.90.249

access-list outside_access_in extended permit tcp any object xenon eq www

access-list outside_access_in extended permit tcp any object xenon eq https

access-list outside_access_in extended permit tcp any object xenon eq 587

access-list outside_access_in extended permit tcp any object xenon eq smtp

access-list outside_access_in extended permit tcp any object xenon eq 993

access-list outside_access_in extended permit tcp any object xenon eq 5666

access-list outside_access_in extended permit tcp any object xenon eq ssh

access-list outside_access_in extended permit tcp any object helium eq https

access-list outside_access_in extended permit icmp any object xenon echo-reply

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any object xenon echo

access-list wccp_redirect extended deny ip host 192.168.90.11 any

access-list wccp_redirect extended permit tcp 192.168.90.0 255.255.255.0 any eq www log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo inside

icmp permit any outside

icmp permit any echo outside

icmp permit any echo-reply outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network xenon

nat (inside,outside) static mail

object network helium

nat (inside,outside) static public

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

wccp web-cache

wccp interface inside web-cache redirect in

Everyone's tags (4)
4 REPLIES

ICMP through an ASA running 8.4

Hello Munroe,

Add the following command:

-Fixup protocol ICMP

Please provide the following output:

packet-tracer input outside icmp 4.2.2.2 8 0 mail_ip

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ICMP through an ASA running 8.4

# fixup protocol icmp

INFO: converting 'fixup protocol icmp ' to MPF commands

ciscoasa# packet-tracer input outside icmp 4.2.2.2 8 0 xxx.xxx.xxx.125

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network xenon

nat (inside,outside) static mail

Additional Information:

NAT divert to egress interface inside

Untranslate xxx.xxx.xxx.125/0 to 192.168.90.252/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Phase: 9

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2298729, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ciscoasa#

ICMP through an ASA running 8.4

Hello Munroe,

The Packet tracer shows that everything is allowed, please let me know if its working or if we need to do further investigation ( Next thing would be captures)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Super Bronze

Re: ICMP through an ASA running 8.4

Hi,

Is this ASA configured for some companys production environment or test purposes?

Just wondering if the server has default GW set in its configurations? This would explain a situation where it replies to ICMP directly from ASA but not from Internet (because ICMP is not coming from a connected network of the server) Though you didnt say does it respond to ICMP from the local network of 192.168.90.0/24

Just thought I'd ask as Julio said, there packet tracer goes through fine.

Also is there anything on server that might block the ICMP echos?

- Jouni

11176
Views
0
Helpful
4
Replies
CreatePlease to create content