[c-nsp] Wierd ICMP problem in ASA 5510

Dave Lim dave.daturax at gmail.com
Thu Dec 28 09:41:23 EST 2006 

Hi Group,

I am facing a very wierd problem with my ASA 5510 allowing ICMP traffic from
the inside to outside network.

As you can see in the following, i can do a ICMP to the internet if I am in
the console of the ASA (as seen in the first output) but I cant ICMP the
internet if I am on the inside network (see second output)

Show the debug icmp trace output as I do a ping to an internet IP.

debug icmp trace
debug icmp trace enabled at level 1
ASA5510# ping 165.,21.83.88
ICMP echo request from 172.16.1.2 to 165.21.83.
88 ID=4388 seq=57493 len=72
Sending 5, 100-byte ICMP Echos to 165.21.83.88, timeout is 2 seconds:
!ICMP echo reply from 165.21.83.88 to 172.16.1.2 ID=4388 seq=57493 len=72
ICMP echo request from 172.16.1.2 to 165.21.83.88 ID=4388 seq=57493 len=72
!ICMP echo reply from 165.21.83.88 to 172.16.1.2 ID=4388 seq=57493 len=72
ICMP echo request from 172.16.1.2 to 165.21.83.88 ID=4388 seq=57493 len=72
!ICMP echo reply from 165.21.83.88 to 172.16.1.2 ID=4388 seq=57493 len=72
ICMP echo request from 172.16.1.2 to 165.21.83.88 ID=4388 seq=57493 len=72
!ICMP echo reply from 165.21.83.88 to 172.16.1.2 ID=4388 seq=57493 len=72
ICMP echo request from 172.16.1.2 to 165.21.83.88 ID=4388 seq=57493 len=72
ICMP echo reply from 165.21.83.88 to 172.16.1.2 ID=4388 seq=57493 len=72


But if I were to do a ping from one of the inside network machines, I will
see the following.

ASA5510# ICMP echo request from inside:10.203.1.102 to outside:165.21.83.
88 ID=512 seq=20224 len=32
ICMP echo request translating inside:10.203.1.102/512 to outside:
172.16.1.2/3
ICMP echo request from inside:10.203.1.102 to outside:165.21.83.88 ID=512
seq=20
480 len=32
ICMP echo request translating inside:10.203.1.102/512 to outside:
172.16.1.2/3
ICMP echo request from inside:10.203.1.102 to outside:165.21.83.88 ID=512
seq=20
736 len=32
ICMP echo request translating inside:10.203.1.102/512 to outside:
172.16.1.2/3
ICMP echo request from inside:10.203.1.102 to outside:165.21.83.88 ID=512
seq=20
992 len=32
ICMP echo request translating inside:10.203.1.102/512 to outside:
172.16.1.2/3


I can see that there is PAT being doing to the echo request but I do not see
an echo reply. 10.203.1.0/24 is in the inside network.
I have also allow ICMP to the inside interface as seen in icmp permit any
inside

Anyone? this should be pretty straight forward.

Attached the config.

ASA5510# show run
: Saved
:
ASA Version 7.0(6)
!
hostname ASA5510
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.203.1.253 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxx
ftp mode passive
clock timezone SGT 8
object-group service ALL_VLAN_TCP tcp
 description ALL VLAN TCP
 port-object eq telnet
 port-object eq www
 port-object eq ftp-data
 port-object eq domain
 port-object eq pop3
 port-object eq https
 port-object eq ftp
 port-object eq smtp
 port-object eq imap4
 port-object eq lotusnotes
 port-object eq 8843
 port-object eq 8443
object-group service ALL_VLAN_UDP udp
 description ALL VLAN UDP
 port-object eq nameserver
 port-object eq domain
 port-object eq ntp
access-list inside_access_in extended permit tcp 10.203.0.0 255.255.0.0 any
object-group ALL_VLAN_TCP
access-list inside_access_in extended permit udp 10.203.0.0 255.255.0.0 any
object-group ALL_VLAN_UDP
access-list inside_access_in extended permit icmp any any
access-list inside_access_out extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp permit any management
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.203.0.0 255.255.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 10.0.0.0 255.0.0.0 10.203.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.203.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.203.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 5
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
ntp server 219.87.217.84 source outside

More information about the cisco-nsp mailing list