Also, what are the security levels in each interface? 2010/4/27 Willians Barboza <[email protected]>: > Did you allow the return of echo-replies on the outside interface? Or > did you put the ICMP as an inspected protocol on the global inspection > rule? > > 2010/4/27 Jimmy Larsson <[email protected]>: >> What am I doing wrong here? Working with WB 2 lab 12, trying to ping >> 6.6.4.32 (BB2) from R9 (on ASA DMZ) without success. >> Error message in ASA: >> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 >> (type 8, code 0) >> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 >> (type 8, code 0) >> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 >> (type 8, code 0) >> >> There is a translation: >> ASA(config)# sh run static | incl DMZ >> static (DMZ,outside) 6.6.146.9 10.17.17.9 netmask 255.255.255.255 >> There is a hole in acl: >> ASA(config)# sh run access-group >> access-group OUTSIDE in interface outside >> access-group DMZ in interface DMZ >> ASA(config)# sh run access-list DMZ >> access-list DMZ extended permit udp host 10.17.17.9 host 6.6.99.1 eq ntp >> access-list DMZ extended permit icmp any any echo >> There is an inspect for icmp: >> ASA(config)# sh service-policy global | incl icmp >> Inspect: icmp, packet 0, drop 0, reset-drop 0 >> >> This is what packet-tracer say: >> ASA(config)# packet-tracer input DMZ icmp 10.17.17.9 8 0 6.6.4.32 detailed >> Phase: 1 >> Type: ACCESS-LIST >> Subtype: >> Result: ALLOW >> Config: >> Implicit Rule >> %ASA-3-106014: Deny inbound icmp src DMZ:10.17.17.9 dst outside:6.6.4.32 >> (type 8, code 0) >> Additional Information: >> Forward Flow based lookup yields rule: >> in id=0xd7c6a3d8, priority=1, domain=permit, deny=false >> hits=2640, user_data=0x0, cs_id=0x0, l3_type=0x8 >> src mac=0000.0000.0000, mask=0000.0000.0000 >> dst mac=0000.0000.0000, mask=0000.0000.0000 >> Phase: 2 >> Type: FLOW-LOOKUP >> Subtype: >> Result: ALLOW >> Config: >> Additional Information: >> Found no matching flow, creating a new flow >> Phase: 3 >> Type: ROUTE-LOOKUP >> Subtype: input >> Result: ALLOW >> Config: >> Additional Information: >> in 6.6.4.0 255.255.255.0 outside >> Phase: 4 >> Type: ACCESS-LIST >> Subtype: >> Result: DROP >> Config: >> Implicit Rule >> Additional Information: >> Forward Flow based lookup yields rule: >> in id=0xd7c6aa98, priority=110, domain=permit, deny=true >> hits=31, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0 >> src ip=0.0.0.0, mask=0.0.0.0, port=0 >> dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 >> Result: >> input-interface: DMZ >> input-status: up >> input-line-status: up >> output-interface: outside >> output-status: up >> output-line-status: up >> Action: drop >> Drop-reason: (acl-drop) Flow is denied by configured rule >> >> ASA(config)# >> >> Anyone? >> Br Jimmy >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > > -- > Willians Barboza > CCIE Security # 25629 >
-- Willians Barboza CCIE Security # 25629 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
