topic Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel in Network Security

ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

swscco001 — Tue, 19 Oct 2021 14:52:40 GMT

Hello everybody,

today I have an issue regarding VPN filters for site-to-site VPNs
at a ASA5525 running OS rel. 9.12(4)26.

The customer has several site-to-site VPN tunnels and the issue occur
with each of them so I assume the reason is located in the general
configuration.

In the VPN filter ACL IPSEC-MediaCologne is currently allowing the
remote users to ping and RDP local hosts (see attached small screen dump).

Now when he ping from a local host to a remote host he gets only ICMP
replies when he allows the remote users to ping local users by the
first VPN filter entry!

I thought that when:

...
policy-map global_policy
class inspection_default
...
inspect icmp
...

is in the configuration ICMP will be treated similar as a stateful protocol
so I don't need think about the return traffic.

I don't know why we need a VPN filter entry for allowing the remote users
to ping us to make the ASA able to let pass ICMP replies for our pings to
the remote hosts.

I attach the 'sh run all' output and perhaps someone has an explanation
for this behaviour.

Thanks a lot!

Bye

Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

Marius Gunnerud — Tue, 19 Oct 2021 22:01:35 GMT

I do not see any reason why that should be allowed. The only reason I can think of is if dynamic IPs were used at the remote office to send periodic ping to keep the tunnel up. But that is not the case in your setup. Is there perhaps any equipment at the remote site that needs to ping over the VPN, perhaps to check if something is reachable?

You could remove it and see who starts screaming 🙂

Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

swscco001 — Wed, 20 Oct 2021 06:10:46 GMT

Hi Marius,

thanks for your reply!

The customer want to be able to ping remote hosts to check their availablility and

not to bring up the tunnel. The remote users are usually not use ping.

The local customer starts a permanent ping to a remote host and when he deactivate

the first VPN-Filter entry for ICMP he gets no reply anymore.

In a L2L VPN Filter ACLs you ALWAYS define the source address as the "remote network".

So it looks like he needs to allow ICMP echo replies by an ACL entry even if

inspect icmp

is enabled.

This is not logical and would not be expected from a stateful firewall.

Perhaps someone can explain this to me and the customer.

Thanks a lot!

Bye

Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

Marius Gunnerud — Mon, 25 Oct 2021 10:45:46 GMT

It actually is logical. the inspect icmp is for through the box traffic. That is to say traffic that enters interface A and gets checked by the interface ACL, and this is where the inspect icmp is checked. L2L VPN is to the box traffic. By default, VPN traffic bypasses the interface ACL so the inspect icmp will never be used. You would need to disable sysopt connection permit-vpn function, this will tell the ASA to check all VPN traffic against the interface ACL and you should now see that inspect icmp works. If you decide to change to this type of setup, remember to remove the VPN filter configuration.

Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

swscco001 — Wed, 27 Oct 2021 12:00:17 GMT

Hi Marius,

when I disable sysopt connection permit-vpn a lot of trouble with other tunnels will be the consequence 🙂 . I know this from other cases.

The adminstrator wants just ping from a local protected host a host in the remote protected network though a present S2S-Tunnel and need to allow the reply traffic in the VPN filter ACL or disable sysopt connection permit-vpn therefore? This is hard to believe.

I had a chat with the customer about this. Within a 2S2 tunnel when sysopt connection permit-vpn

is anabled reply traffic should be allowed without any entry in the VPN filter ACL and treated in a

stateful firewall style.

Would it be the same when he use SSH instead of ping, so it is an exception at ICMP in comparison

with TCP?

The customer is asking: Should this be the behaviour of a stateful firewall?

Thanks for your effort!

Bye

Re: ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

Marius Gunnerud — Thu, 04 Nov 2021 09:33:13 GMT

Compairing SSH to ICMP is like compairing apples and oranges. They are not the same. SSH is connection oriented while ICMP is connectionless. This is why we need the inspect icmp to allow ICMP replies between interfaces on the firewall.

That being said, the inspect icmp needs to see the echo request on one interface, and then monitors for the echo reply on another interface (or the same interface in the case of hairpinning). The problem with VPN is that the traffic is encrypted on the ingress interface, so the ASA does not see the initial ICMP request and is not able to check for the reply. This is the reason you would need to allow the ICMP reply when coming through the VPN and not being able to disable sysopt connection permit-vpn