Did you allow the return of echo-replies on the outside interface? Or
did you put the ICMP as an inspected protocol on the global inspection
rule?

2010/4/27 Jimmy Larsson <[email protected]>:
> What am I doing wrong here? Working with WB 2 lab 12, trying to ping
> 6.6.4.32 (BB2) from R9 (on ASA DMZ) without success.
> Error message in ASA:
> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
> (type 8, code 0)
> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
> (type 8, code 0)
> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
> (type 8, code 0)
>
> There is a translation:
> ASA(config)# sh run static | incl DMZ
> static (DMZ,outside) 6.6.146.9 10.17.17.9 netmask 255.255.255.255
> There is a hole in acl:
> ASA(config)# sh run access-group
> access-group OUTSIDE in interface outside
> access-group DMZ in interface DMZ
> ASA(config)# sh run access-list DMZ
> access-list DMZ extended permit udp host 10.17.17.9 host 6.6.99.1 eq ntp
> access-list DMZ extended permit icmp any any echo
> There is an inspect for icmp:
> ASA(config)# sh service-policy global  | incl icmp
>       Inspect: icmp, packet 0, drop 0, reset-drop 0
>
> This is what packet-tracer say:
> ASA(config)# packet-tracer input DMZ icmp 10.17.17.9 8 0 6.6.4.32 detailed
> Phase: 1
> Type: ACCESS-LIST
> Subtype:
> Result: ALLOW
> Config:
> Implicit Rule
> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32
> (type 8, code 0)
> Additional Information:
>  Forward Flow based lookup yields rule:
>  in  id=0xd7c6a3d8, priority=1, domain=permit, deny=false
>         hits=2640, user_data=0x0, cs_id=0x0, l3_type=0x8
>         src mac=0000.0000.0000, mask=0000.0000.0000
>         dst mac=0000.0000.0000, mask=0000.0000.0000
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in   6.6.4.0         255.255.255.0   outside
> Phase: 4
> Type: ACCESS-LIST
> Subtype:
> Result: DROP
> Config:
> Implicit Rule
> Additional Information:
>  Forward Flow based lookup yields rule:
>  in  id=0xd7c6aa98, priority=110, domain=permit, deny=true
>         hits=31, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
>         src ip=0.0.0.0, mask=0.0.0.0, port=0
>         dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
> Result:
> input-interface: DMZ
> input-status: up
> input-line-status: up
> output-interface: outside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
> ASA(config)#
>
> Anyone?
> Br Jimmy
>
>
> --
> -------
> Jimmy Larsson
> Ryavagen 173
> s-26030 Vallakra
> Sweden
> http://blogg.kvistofta.nu
> -------
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>



-- 
Willians Barboza
CCIE Security # 25629
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to