[c-nsp] ASA 5520 icmp error inspection not functioning after upgrade

Vinny_Abello at Dell.com Vinny_Abello at Dell.com
Mon May 5 09:35:07 EDT 2014 

Thanks, and it is as well as a huge access-list of other things, but that doesn't change the effect of ttl-exceeded packets not being translated via NAT properly because the icmp error inspection seems broken. I didn't disclose everything I'm permitting through the access-list. I was just mentioning things I thought should pertain to the issue, but if you're interested:

access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit icmp any4 any4 echo
access-list outside_access_in extended permit icmp any4 any4 unreachable
access-list outside_access_in extended permit icmp any4 any4 time-exceeded log
access-list outside_access_in extended permit icmp6 any6 any6 echo
access-list outside_access_in extended permit icmp6 any6 any6 echo-reply
access-list outside_access_in extended permit icmp6 any6 any6 unreachable
access-list outside_access_in extended permit icmp6 any6 any6 time-exceeded
access-list outside_access_in extended permit icmp6 any6 any6 packet-too-big
access-list outside_access_in extended permit icmp6 any6 any6 parameter-problem

I have the log on the time-exceeded in there from trying to troubleshoot the issue. That's not normally there.

I may just end up scheduling a reload of both firewalls and go from there unless anyone else has any suggestions.

-Vinny

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland
Sent: Sunday, May 04, 2014 6:40 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 5520 icmp error inspection not functioning after upgrade


On May 4, 2014, at 11:16 AM, Vinny_Abello at Dell.com wrote:

> I've always allowed echo-reply in the outside interface as well as ttl-exceeded in the access-list applied to it.

You should also allow ICMP type-3/code-4, or you're breaking PMTU-D.

-----------------------------------------------------------------------
Roland Dobbins //

Luck is the residue of opportunity and design.

-- John Milton


_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list