[OSL | CCIE_Security] problem pinging thru asa from DMZ in WB2 Lab 12.

Tue, 27 Apr 2010 01:25:18 -0700 

What am I doing wrong here? Working with WB 2 lab 12, trying to ping
6.6.4.32 (BB2) from R9 (on ASA DMZ) without success.

Error message in ASA:

%ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
(type 8, code 0)
%ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
(type 8, code 0)
%ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
(type 8, code 0)


There is a translation:

ASA(config)# sh run static | incl DMZ
static (DMZ,outside) 6.6.146.9 10.17.17.9 netmask 255.255.255.255

There is a hole in acl:

ASA(config)# sh run access-group
access-group OUTSIDE in interface outside
access-group DMZ in interface DMZ

ASA(config)# sh run access-list DMZ
access-list DMZ extended permit udp host 10.17.17.9 host 6.6.99.1 eq ntp
access-list DMZ extended permit icmp any any echo

There is an inspect for icmp:

ASA(config)# sh service-policy global  | incl icmp
      Inspect: icmp, packet 0, drop 0, reset-drop 0


This is what packet-tracer say:

ASA(config)# packet-tracer input DMZ icmp 10.17.17.9 8 0 6.6.4.32 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
%ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
(type 8, code 0)
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd7c6a3d8, priority=1, domain=permit, deny=false
        hits=2640, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   6.6.4.0         255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd7c6aa98, priority=110, domain=permit, deny=true
        hits=31, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA(config)#


Anyone?

Br Jimmy



-- 
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to