Cisco ASA Tip: Deny ICMP (type 3, code 3)

I use Cacti to graph all sorts of things, and we recently upgraded to a Cisco ASA firewall.  For a long time I couldn’t figure out what this message was that kept appearing:

Deny icmp src outside:1.2.3.4 dst inside:10.0.0.2 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]

Since Google wasn’t very helpful, I did some experimenting.  I knew the destination server was our monitoring server (10.0.0.2 in this example) and that Cacti and Nagios were running on it, so the ICMP packets most likely must be coming from one of the two monitoring tools, because the above message appeared regularly about 3 times in a row each minute.

It turns out that in Cacti, you can check that a host is up by using TCP ping, UDP ping, or ICMP ping.  UDP ping actually uses a specially crafted UDP packet that tests the TTL (time to live) on a specific port, at least that’s my best understanding of how it works.  Again, Google let me down, so I’m hoping this post will help you out.

The solution:

 In Cacti, change each host’s ping method from UDP ping to ICMP ping.

The firewall likes it and that’s what ICMP is used for all the time anyway.   I only had a few hosts causing this message, mostly in DMZ networks where my monitoring server contacts them through the firewall from the LAN.  After changing their contact method from UDP to ICMP, those messages disappeared for legitimate hosts.

Leave a Reply

Your email address will not be published. Required fields are marked *


*