Annyconnect clients can reach inside apps but NO ICMP allowed
Hi dear cisco community,
I have a setup with Cisco asa 8.4 and customers connecting towards a server in the inside interface.
Everything workds very fine, the can reah all applications and stuff, BUT, the ICMP would not go through.
I doucble checke, server recevives fine the icmp echo and replies well.
This is my ASA that blocks the echo-reply packets, due to NAT issue according to the logs :
6 Jun 26 2014 16:00:06 302020 172.16.23.1 1 AAA.BBB.CCC.1 0 Built inbound ICMP connection for faddr 172.16.23.1/1(LOCAL\customer1) gaddr AAA.BBB.CCC.1/0 laddr AAA.BBB.CCC.1/0 (customer1)
3 Jun 26 2014 16:00:07 305006 AAA.BBB.CCC.1 172.16.23.1 LOCAL regular translation creation failed for icmp src any:AAA.BBB.CCC.1 dst OUTSIDE:172.16.23.1(LOCAL\customer1) (type 0, code 0)
6 Jun 26 2014 16:00:08 302021 172.16.23.1 1 AAA.BBB.CCC.1 0 Teardown ICMP connection for faddr 172.16.23.1/1(LOCAL\customer1) gaddr AAA.BBB.CCC.1/0 laddr AAA.BBB.CCC.1/0 (customer1)
Here is an extract of my config :
object network VPN_POOL_CLTS
subnet 172.16.23.0 255.255.255.0
object network INSIDE_SERVERS_NET
subnet AAAA.BBB.CCC.0 255.255.255.0
nat (any,OUTSIDE) source dynamic any interface description NAT overload
nat (OUTSIDE,any) source static VPN_POOL_CLTS VPN_POOL_CLTS no-proxy-arp
I believe that there is a NAT issue, so i would add the follow line before the first two NAT config lines :
nat (INSIDE,OUTSIDE) source static INSIDE_SERVERS_NET INSIDE_SERVERS_NET no proxy-arp
Do you think this will solve the issue ?
Why would all traffic flow would work but the ICMP ?
Thanks you all for reading.
Hi Florian,
If you look at the logging values for icmp denies
305006
Error Message %ASA-3-305006: {outbound static|identity|portmap|regular) translation creation failed for protocol src interface_name : source_address / source_port [( idfw_user )] dst interface_name : dest_address / dest_port [( idfw_user )]
Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.
The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.
The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128
The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.
When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128
The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.
Recommended Action None required.
302020
Error Message %ASA-6-302020: Built {in | out}bound ICMP connection for faddr { faddr | icmp_seq_num } [( idfw_user )] gaddr { gaddr | cmp_type } laddr laddr [( idfw_user )]
Explanation An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.
Recommended Action None required.
So the similar rule like below would solve your problem.
nat (inside,outside) source static OBJ_INTERNAL OBJ_INTERNAL destination static OBJ_VPN OBJ_VPN no-proxy-arp route-lookup
Regards
Karthik
Similar Messages
-
I can open iBooks App but it does not have any books or PDF's ... I tried bringing them in but no luck! Any solutions??
It's taken off both iPhone and the new iPadYou can insert the PDF that you want to have on iBooks trough iTunes using the library section "books", or simply drag and drop the PDF to iTunes and sync your iPhone, iPad.
You can also open a PDF on Safari and tap on open in iBooks at the top of screen. -
I can buy new apps but I can't update any - it says it can't connect to iTunes store! Please help!!! I've tried the whole changing the date thing and that didn't work
Try:
Can't connect to the iTunes Store -
Can't download paid apps from the app store. Can download free apps but not paid for apps. Anyone know what is wrong?
If you're using a first generation iPod touch, it is up to date. The higher iOS versions require a newer model.
(68010) -
I want to update my applications I keep on entering the password and it keeps asking me about it and again I enter it and nothing happens although it is correct I can download new apps but can't update the old ones
Then you will need the password for the old account in order to update the app.
apps are tied to the apple id that was used to purchase the app.
FAQ apple id http://support.apple.com/kb/HT5622?viewlocale=en_US -
i have an ipod touch and for some reason cannot connect to itunes store. I have full wifi and can get on my safari and was able to update my apps before. I can still get apps but when i try to update it says cannot connect to itunes store. Some1 help!
See these previous dicussions:
App Store Updates (but only Updates)...: Apple Support Communities
Apps suddenly don't update: Apple Support Communities -
Can't update apps but can download them; doesn't accept (valid) virtual CC. What to do?
I can download new apps but can't update the existing ones. What happens when I press "Update all" is the following:
App Store asks me for the password, it recognizes it as valid, the icon of the apps change from "Update" to that circle that should eventually fill up, but then all icons convert back to "Update".
I don't have a payment method associated with my account (I used to have one). When I try updating my account with the information of a (valid) virtual CC, it rejects the card even though virtual CCs have worked perfectly well before.
I have this problem both with the iOS App Store and the Mac App Store.Launch the Console application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
Select
/var/log ▹ appstore.log
from the hierarchical list on the left. If you don't see that list, select
View ▹ Show Log List
from the menu bar.
Each message in the log begins with the date and time when it was entered. Select the messages from the last installation or update attempt, starting from the time when you initiated it. If you're not sure when that was, click the Clear Display button in the toolbar of the Console window and then try the installation again.
Copy the messages to the Clipboard by pressing the key combination command-C. Paste into a reply to this message (command-V).
If there are runs of repeated messages, post only one example of each. Don’t post many repetitions of the same message.
☞ The log contains a vast amount of information, almost all of it useless for solving any particular problem. When posting a log extract, be selective. A few dozen lines are almost always more than enough.
Please don't indiscriminately dump thousands of lines from the log into this discussion.
Please don't post screenshots of log messages—post the text.
☞ Some private information, such as your name, may appear in the log. Anonymize before posting. -
i can downloads free apps but i can't downloads paid apps, when i type my card number payment method was decline
What number are you entering. The CVV or the account number?
In any case, you better check with iTS on this one.
iTunes Store Support
http://www.apple.com/emea/support/itunes/contact.html -
I can purchase ANY app but WHATSAPP.. "whatsapp" with that??
just like the subject says i can buy and app but this one it tells me my "payment method was declined" but theres a ton of cash on my card and i can purchase any other app? anyone have any ideas of what i should do or even a phone number i can call im still willing to but the 99 cent app but after this nonsense i should be getting it for free!! any suggestions would help tia
edit: i have an iphone 4 running 4.1 and its brand new got it monday on telus
Message was edited by: likethemouseHannersiPhone wrote:
Same here! I'm disappointed to see that people have been having this problem for months because I was hoping it was just a temporary glitch. I thought my iTunes account was screwed up but I tried buying another app (that I didn't really want) and it worked fine. I seem to be able to buy anything but Whatsapp - the only app I am currently interested in!!!
HannersiPhone wrote:
Same here! I'm disappointed to see that people have been having this problem for months because I was hoping it was just a temporary glitch. I thought my iTunes account was screwed up but I tried buying another app (that I didn't really want) and it worked fine. I seem to be able to buy anything but Whatsapp - the only app I am currently interested in!!!
I have been driven crazy trying out all the different angles around this declined payment prblem. and now all i can think of is that after i uupdated itunes its completely buggy. my version is 10.1 . is this the same for other versions as well??
this is completely ridiculous. no one to talk to about it, no one to fix it. and on top of it. that app '*whats app'* is free for BB.. here we are willing to pay and we are completely cut off. I cannot even update the free apps anymore as it takes me to the purchase window where i am declined.. this is serious crippled phone now.
what to do?? -
Im trying to download free apps but its not allowing me, its telling me to veryfy my payment details
hi can anyone help, im trying to veryfy my payment method so that i can download free apps but not sure how to do this.
Create iTune App Store account without credit card
http://support.apple.com/kb/ht2534 -
I have protected pdf files. You can not copy things, but it is allowed to print. In the menu of the pdf it says you are allowed to print. I already printed lots of times the document. But today there is an error "The printer is not admittet to print these pdf". Its new. Theres no problem with the printer. I can print word documents, internet pages etc. But today I can not print anymore my pdf document, although printing is allowed and only copying is forbidden.
How to solve the problem with the pdf?
Thank you.Hi Hans,
There seems to be other restrictions in the document that's not allowing it to print.
Would it be possible to share the document with me so that I can have a look?
Regards,
Rave -
VPN clients can connect via SSTP but not IKEv2 due to error 808
I have a Windows Server 2012 R2 with RRAS configured to allow SSTP / IKEv2 VPN connections. I'm using an external certificate for server authentication and the client authentication is done via domain username/password (Protected EAP). The clients can
connect successfully when using SSTP, but if IKEv2 is selected, then the following error is displayed:
Error 808:
The network connection between your computer and the VPN server could not be established because the remote server refused the connection. This is typically caused by a mismatch between the server's configuration and your connection settings. Please
contact the remote server's Administrator to verify the server configuration and your connection settings.
My external certificate has the Server Authentication EKU but not the IP security IKE intermediate, however it's the only
certificate installed, so I believe the certificate is OK.
Any ideas on what is causing the error?
Thank you.
Ricardo CostaHi,
What NAT device you are using? You must configure the IKEv2 related protocol on your NAT device too. For example if you are using the Cisco® NAT device you must
enable the IKEv2 support on the outside interface:
Enabling IKE on the Outside Interface
You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or public interface. To enable IKEv1 or
IKEv2, use the crypto ikev1 | ikev2 enable command from global configuration mode:
=================================================
crypto ikev1 | ikev2 enable interface-name
For example:
hostname(config)# crypto ikev1 enable outside
=================================================
The related third party information:
Configuring IPSec and ISAKMP
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html#wp1042302
You can refer the following KB to enable the RRAS logging.
RRAS: Logging should be enabled on the RRAS server
http://technet.microsoft.com/zh-cn/library/ee922651(v=ws.10).aspx
Hope this helps.
*** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does
not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers
in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I have brought an ipad2', I have an apple I'd with which I can download free aps, but it does not work with FaceTime, do I need to purchase some app with my I'd to activate FaceTime on my iPad with apple id
Using FaceTime http://support.apple.com/kb/ht4319
Troubleshooting FaceTime http://support.apple.com/kb/TS3367
The Complete Guide to FaceTime: Set-up, Use, and Troubleshooting Problems
http://tinyurl.com/32drz3d
Cheers, Tom -
I can not update my apps because it says iPad cont connect to app store but I can still download apps... Why is this and how do infix it?
Is this what you are after...
View Purchase History
http://support.apple.com/kb/HT2727 -
Outlook client can't connect in but OWA works
You need to make sure your OutlookAnywhere and AutoDiscover settings are setup properly along with Split-DNS. OutlookAnywhere and Split-DNS are vital for future-proofing your Exchange configuration and making it work properly now, regardless if you use Exchange 2007, 2010, or 2013. For Exchange 2013, OutlookAnywhere is a requirement and Split-DNS is Best Practice. If you are on Exchange 2007 or 2010, and you do not have OutlookAnywhere enabled, enable OutlookAnywhere and follow this guide.You should always use NTLM over Basic authentication, as Basic sends the username and password in the clear, and NTLM is Windows Authentication. On Exchange 2013, you also have a new option called Negotiate, which is recommended. As you follow this guide, you will set the ClientAuthenticationMethod (Internal and External if on Exchange 2013) to NTLM...
Outlook client can't connect in configured outlook on workstation but OWA works.
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
I triedto update my win 8 bootcamp to 8.1 but in store app (windows) i always get error 0x8007002 or 0x80070652. I tried with iso on dvd but it says "we can't teel if your pc is ready to install windows 8.1". i don't know how else to install, solutio
-
Having a problem with wireless connection. On my Windows XP 32 bit system and a 6510 printer, initi
On my Dell Latitude D620, Windows XP 32 bit system and my 6510 printer wireless connection (Linksys EA4500) , everything works fine after the computer is booted. After a period of time (usually overnight), I lose connection to the printer (the scann
-
Hello, I'm trying to make a image preview of a street decoration for an event through photo editing. I have a photo of the street and want to add vector images of what the decoration would look like with Adobe Fireworks. Basically I just want to add
-
Safari Quit Unexpectedly on launch
I have an iMac 5k and every time i launch Safari it instantly quits. I receive the error message saying: "Safari Quit Unexpectedly" I have tired running in safe mode and removing all of my extensions and plug ins. I have deleted the safari preference
-
the episodes of the season passes are not downloading, when i try to download it from the link sent to me in the notificaition mail, the message "Unable to Process Your Request" appears. thanks for your help George