https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810318#M173213 <P>I think this applies to "icmp error" inspection, rather than "icmp" inspection, which is different.</P> <P></P> <P>(1). Yes. &nbsp;In fact &nbsp;if you are good enough at spoofing packets you could do this for any reply packet of any type.</P> <P></P> <P>(2) I don't know. &nbsp;icmp error should be tied to an existing tcp/udp session I would think, while icmp inspection should match an existing outbound icmp packet.</P> Wed, 20 Jan 2016 07:33:07 GMT Philip D'Ath 2016-01-20T07:33:07Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810317#M173212 <P>Hi All,</P> <P></P> <P>Please advise on the below</P> <P></P> <P>Say for ICMP, we have enabled inspection, how the firewall does the stateful inspection?</P> <P>From other blogs, it seems the ASA will create a Dynamic ACL with wildcard source address.&nbsp;</P> <P>Question:</P> <P>1)If wildcard source address, if I have crafted a packet with correct destination address and it is ICMP reply, will it be successful?</P> <P>2) What are the attributes the ASA firewall will keep in its stateful session for checking of the return traffic?</P> <P></P> <P>Thanks</P> Tue, 12 Mar 2019 07:10:03 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810317#M173212 rakeshvelagala 2019-03-12T07:10:03Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810318#M173213 <P>I think this applies to "icmp error" inspection, rather than "icmp" inspection, which is different.</P> <P></P> <P>(1). Yes. &nbsp;In fact &nbsp;if you are good enough at spoofing packets you could do this for any reply packet of any type.</P> <P></P> <P>(2) I don't know. &nbsp;icmp error should be tied to an existing tcp/udp session I would think, while icmp inspection should match an existing outbound icmp packet.</P> Wed, 20 Jan 2016 07:33:07 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810318#M173213 Philip D'Ath 2016-01-20T07:33:07Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810319#M173214 <P>Hello Philip,</P> <P></P> <P>I got into a recent small issue with ICMP on ASA. In production on ASA boxes doing mostly VPN (site-to-site or Anyconnect) do you enable or not <EM>ICMP inspect</EM>?</P> <P></P> <P>Do you have any recommedations or best practices for when to enable and when to use default config on <EM>ICMP&nbsp;inspect?</EM></P> <P><EM></EM></P> <P>Thanks,</P> <P>Florin.</P> Mon, 22 Feb 2016 21:30:15 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810319#M173214 Florin Barhala 2016-02-22T21:30:15Z https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810320#M173215 <P>I always turn it on. &nbsp;I think it is too valuable as a tool to leave off.</P> Mon, 22 Feb 2016 21:49:35 GMT https://community.cisco.com/t5/network-security/icmp-inspection/m-p/2810320#M173215 Philip D'Ath 2016-02-22T21:49:35Z