topic Re: ASA "icmp" question. in Network Security

ASA "icmp" question.

AlexFer — Wed, 20 May 2020 06:57:52 GMT

Hi Experts,

CLI Reference for "icmp" command states "The icmp command controls ICMP traffic that terminates on any ASA interface." As I read it, this is filtering on ingress (ie. incoming ICMP message).

But this example in same document throws me off:

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
ciscoasa(config)# icmp permit any unreachable outside

Surely, above "echo-reply" should be "echo"?

My reason for revisiting is that I'm receiving "%ASA-3-313001: Denied ICMP type=3, code=3 from {obfuscated} on interface external" which I don't expect, since "icmp" is provisioned thus:

5525# show running-config icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo external
icmp permit any external

R's, Alex

Re: ASA "icmp" question.

Panos Bouras — Wed, 20 May 2020 09:44:21 GMT

Hi Alex,

Could be due to your ICMP inspect configuration.

Please check the following articles regarding ICMP Inspection on ASA

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/asdm74/firewall/asdm-74-firewall-config/inspect-basic.html#ID-2092-000007d4

and

https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485

Re: ASA "icmp" question.

AlexFer — Wed, 20 May 2020 14:06:38 GMT

> Could be due to your ICMP inspect

I can’t see how - ICMP Inspect is for through ASA traffic, not to/from ASA.

Re: ASA "icmp" question.

Marvin Rhoads — Wed, 20 May 2020 14:39:04 GMT

I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

Is the ASA-3-313001 message showing any other information? If not perhaps you could packet capture it - it could be a something other than an icmp echo coming into the ASA interface.

Re: ASA "icmp" question.

AlexFer — Wed, 20 May 2020 15:01:42 GMT

> I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

I quoted example in ASA CLI Reference for command “icmp”.

> Is the ASA-3-313001 message showing any other information?

no - I copied content as stored on SYSLOG server, just with IP address obfuscated. ASA Log Reference explicitly states that 313001 is associated with “icmp” command.

Re: ASA "icmp" question.

Marvin Rhoads — Fri, 22 May 2020 11:01:29 GMT

The log message indicates it is being generated due to a type 3 code 3 message. That indicates host unreachable / port unreachable. A basic ping (echo request) would be type 8.

Replies to traceroute initiated from inside your network would include icmp unreachable messages. Those need to be explicitly permitted if you want to allow that function. It would require something like this:

access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable

...along with the following in a class-map (that's referenced in your policy-map global_policy and applied via service-policy):

 class class-default
  set connection decrement-ttl

Re: ASA "icmp" question.

AlexFer — Fri, 22 May 2020 12:42:21 GMT

Surely, log messages 313001 is not associated with deny by access-group? Cisco Log Reference specifically mentions “icmp” command.

Re: ASA "icmp" question.

Marvin Rhoads — Fri, 22 May 2020 13:00:14 GMT

No, I'm not saying that message is due to any deny by access group.

The message indicates the ASA received the ICMP message and is discarding it. The ASA will do that for ICMP messages other than the echo requests (type 😎 if all you have configured is to allow the ASA to reply to ICMP on the external interface.

I was going beyond the initial question and offering a theory as to why it is discarding ICMP type 3 (unreachable) messages.

Re: ASA "icmp" question.

AlexFer — Fri, 22 May 2020 13:38:28 GMT

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching “external” interface’s IP address?

Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?

> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?

Re: ASA "icmp" question.

Marvin Rhoads — Fri, 22 May 2020 13:57:58 GMT

@AlexFer wrote:

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching “external” interface’s IP address?

Yes I agree.

Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?

It could have been an external scan. More likely it is a response from some external host to an internally-generated traceroute. Either one could cause such input.

> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?

Correct. The command "icmp permit any external" by itself only configures the ASA to send ICMP echo replies in response to ICMP echo requests (ICMP type 😎 from any external host. Any other type of incoming ICMP message will generate the 313001 message.

Re: ASA "icmp" question.

AlexFer — Fri, 22 May 2020 14:39:00 GMT

> More likely it is a response from some external host to an internally-generated traceroute.

this can’t be, because then destination IP address of this (response) ICMP message would that of that internal host that generated the request (as you say, using traceroute) and NOT of ASA’s external interface IP address. In which case, we’d be seeing the deny Log message, pertaining to access-group, and not 313001.

Re: ASA "icmp" question.

Marvin Rhoads — Fri, 22 May 2020 14:37:54 GMT

It could be so if the ASA was configured to NAT internal hosts to the external interface address.

You've only shared a small snippet of the running-config so I'm positing a common use case.

Re: ASA "icmp" question.

AlexFer — Fri, 22 May 2020 14:42:16 GMT

Granted, but I can assure, no NAT on this ASA.