Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

implicit deny for icmp on inside interface

I can't figure out how to overcome the implicit deny for icmp on the inside interface of an ASA firewall.

I am pinging from one internal host to another, both on the inside interface.

I've added explicit rules but it doesn't seem to matter.

Please help

asa(config)# packet-tracer input inside icmp 192.168.1.200 8 0 192.168.22.1 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.22.0    255.255.255.0   inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static any any destination static Net_192.168.0.0_16 Net_192.168.0.0_16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.22.1/0 to 192.168.22.1/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb1aaa70, priority=111, domain=permit, deny=true
        hits=3637, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=inside
             
Result:      
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: implicit deny for icmp on inside interface

Hi Keith,

is another type of traffic permitted between same devices? If not please enable following:

same-security-traffic permit intra-interface

It permits communication between peers connected to the same interface.

Kind regards,

Veronika

2 REPLIES
Cisco Employee

Re: implicit deny for icmp on inside interface

Hi Keith,

is another type of traffic permitted between same devices? If not please enable following:

same-security-traffic permit intra-interface

It permits communication between peers connected to the same interface.

Kind regards,

Veronika

New Member

Re: implicit deny for icmp on inside interface

Thanks that worked perfectly.

184
Views
0
Helpful
2
Replies
CreatePlease to create content