02-27-2014 12:48 PM - edited 03-11-2019 08:51 PM
I can't figure out how to overcome the implicit deny for icmp on the inside interface of an ASA firewall.
I am pinging from one internal host to another, both on the inside interface.
I've added explicit rules but it doesn't seem to matter.
Please help
asa(config)# packet-tracer input inside icmp 192.168.1.200 8 0 192.168.22.1 de$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.22.0 255.255.255.0 inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static any any destination static Net_192.168.0.0_16 Net_192.168.0.0_16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.22.1/0 to 192.168.22.1/0
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1aaa70, priority=111, domain=permit, deny=true
hits=3637, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
02-27-2014 01:14 PM
Hi Keith,
is another type of traffic permitted between same devices? If not please enable following:
same-security-traffic permit intra-interface
It permits communication between peers connected to the same interface.
Kind regards,
Veronika
02-27-2014 01:14 PM
Hi Keith,
is another type of traffic permitted between same devices? If not please enable following:
same-security-traffic permit intra-interface
It permits communication between peers connected to the same interface.
Kind regards,
Veronika
02-27-2014 04:16 PM
Thanks that worked perfectly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide