Did you allow the return of echo-replies on the outside interface? Or did you put the ICMP as an inspected protocol on the global inspection rule?
2010/4/27 Jimmy Larsson <[email protected]>: > What am I doing wrong here? Working with WB 2 lab 12, trying to ping > 6.6.4.32 (BB2) from R9 (on ASA DMZ) without success. > Error message in ASA: > %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 > (type 8, code 0) > %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 > (type 8, code 0) > %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 > (type 8, code 0) > > There is a translation: > ASA(config)# sh run static | incl DMZ > static (DMZ,outside) 6.6.146.9 10.17.17.9 netmask 255.255.255.255 > There is a hole in acl: > ASA(config)# sh run access-group > access-group OUTSIDE in interface outside > access-group DMZ in interface DMZ > ASA(config)# sh run access-list DMZ > access-list DMZ extended permit udp host 10.17.17.9 host 6.6.99.1 eq ntp > access-list DMZ extended permit icmp any any echo > There is an inspect for icmp: > ASA(config)# sh service-policy global | incl icmp > Inspect: icmp, packet 0, drop 0, reset-drop 0 > > This is what packet-tracer say: > ASA(config)# packet-tracer input DMZ icmp 10.17.17.9 8 0 6.6.4.32 detailed > Phase: 1 > Type: ACCESS-LIST > Subtype: > Result: ALLOW > Config: > Implicit Rule > %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 > (type 8, code 0) > Additional Information: > Forward Flow based lookup yields rule: > in id=0xd7c6a3d8, priority=1, domain=permit, deny=false > hits=2640, user_data=0x0, cs_id=0x0, l3_type=0x8 > src mac=0000.0000.0000, mask=0000.0000.0000 > dst mac=0000.0000.0000, mask=0000.0000.0000 > Phase: 2 > Type: FLOW-LOOKUP > Subtype: > Result: ALLOW > Config: > Additional Information: > Found no matching flow, creating a new flow > Phase: 3 > Type: ROUTE-LOOKUP > Subtype: input > Result: ALLOW > Config: > Additional Information: > in 6.6.4.0 255.255.255.0 outside > Phase: 4 > Type: ACCESS-LIST > Subtype: > Result: DROP > Config: > Implicit Rule > Additional Information: > Forward Flow based lookup yields rule: > in id=0xd7c6aa98, priority=110, domain=permit, deny=true > hits=31, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0 > src ip=0.0.0.0, mask=0.0.0.0, port=0 > dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 > Result: > input-interface: DMZ > input-status: up > input-line-status: up > output-interface: outside > output-status: up > output-line-status: up > Action: drop > Drop-reason: (acl-drop) Flow is denied by configured rule > > ASA(config)# > > Anyone? > Br Jimmy > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Willians Barboza CCIE Security # 25629 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
