topic ICMP on ASA5510 in Network Security

ICMP on ASA5510

Ali Norouzi — Mon, 11 Mar 2019 23:32:43 GMT

I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin

ASA Version 8.2(2)

hostname fw-01

names

interface Ethernet0/0

nameif LAN

security-level 50

ip address 172.20.4.2 255.255.255.252

interface Ethernet0/1

nameif DMZ

security-level 100

ip address 172.20.4.65 255.255.255.252

interface Ethernet0/2

no nameif

no security-level

no ip address

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 172.20.1.220 255.255.255.0

management-only

boot system disk0:/asa822-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list DMZ-->LAN extended permit ip any any

access-list DMZ-->LAN extended permit icmp any any

access-list LAN-->DMZ extended permit ip any any

access-list LAN-->DMZ extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu LAN 1500

mtu DMZ1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group LAN-->DMZ in interface LAN

access-group DMZ-->LAN out interface LAN

access-group DMZ-->LAN in interface DMZ

access-group LAN-->DMZ out interface DMZ

route LAN 10.0.0.0 255.0.0.0 172.20.4.1 1

route DMZ 172.30.0.0 255.255.255.0 172.20.4.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

http server enable

http 10.0.0.5 255.255.255.255 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 LAN

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0055841bfefc4136bb22c6cd5b425b9b

: end

ICMP on ASA5510

Jennifer Halim — Thu, 19 Jul 2012 04:58:22 GMT

You would also need to configure:

no nat-control

Then "clear xlate"

Assuming that you wont' be configuring any NAT commands in the future.

Re: ICMP on ASA5510

Ramraj Sivagnanam Sivajanam — Thu, 19 Jul 2012 05:02:00 GMT

Hi Bro

Cisco ASA FW is a stateful FW. This means in your rules, you don't have to permit 2-way. Just do the following to permit ICMP and TRACEROUTE, and all will be good 🙂

Note: Please change the security-level LAN from 50 to 100 & DMZ from 100 to 50.

nat-control

static (LAN,DMZ) 172.20.4.0 172.20.4.0 netmask 255.255.255.252

static (LAN,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

no access-list DMZ-->LAN extended permit ip any any
no access-list LAN-->DMZ extended permit ip any any
no access-list LAN-->DMZ extended permit icmp any any
no access-list DMZ-->LAN extended permit icmp any any

access-list DMZ-->LAN extended permit icmp any any echo
access-list DMZ-->LAN extended permit icmp any any echo-reply
access-list DMZ-->LAN extended permit icmp any any time-exceeded
access-list DMZ-->LAN extended permit icmp any any unreachable
access-list DMZ-->LAN extended permit udp any any range 33434 33464
access-list DMZ-->LAN deny ip any any log

access-list LAN-->DMZ extended permit icmp any any echo
access-list LAN-->DMZ extended permit icmp any any echo-reply
access-list LAN-->DMZ extended permit icmp any any time-exceeded
access-list LAN-->DMZ extended permit icmp any any unreachable
access-list LAN-->DMZ extended permit udp any any range 33434 33464
access-list LAN-->DMZ deny ip any any log

no access-group DMZ-->LAN out interface LAN
no access-group LAN-->DMZ out interface DMZ

access-group LAN-->DMZ in interface LAN
access-group DMZ-->LAN in interface DMZ

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

class class-default

set connection decrement-ttl

Note: Provided your workstations have the correct default gateway set in LAN and DMZ.

ICMP on ASA5510

Ali Norouzi — Thu, 19 Jul 2012 05:14:06 GMT

Hi Jeniffer,

I need NAT in future. Actually I started to configure this firewall but in first stage I faced this issue and that's why I permitted anything in two direction.

ICMP on ASA5510

Jennifer Halim — Thu, 19 Jul 2012 05:19:15 GMT

In that case, pls configure the following instead:

static (DMZ,LAN) 172.30.0.0 172.30.0.0 netmask 255.255.255.0

static (DMZ,LAN) 172.20.4.64 172.20.4.64 netmask 255.255.255.252

Then "clear xlate" after the changes.

ICMP on ASA5510

Ali Norouzi — Thu, 19 Jul 2012 06:11:05 GMT

Problem still exist. I have tested it on ASA5520 and there is no problem on that. Is there diffrence between them in rules?

ICMP on ASA5510

Jennifer Halim — Thu, 19 Jul 2012 06:58:42 GMT

No, there is no difference at all between 5520 and 5510 as far as software and configuration is concern, they should behave in exactly the same way.

Are you trying to ping the host or interface of the ASA?

Just FYI, you can't ping cross interface, ie: from a host on LAN you can't ping ASA DMZ interface and vice versa. You can only ping through the ASA, ie: from host on LAN towards host on DMZ and vice versa.

Please advise what you are trying to ping to and from, and also run "debug icmp trace" to see if the ASA is receiving and replying to the ICMP packets.

ICMP on ASA5510

Ali Norouzi — Thu, 19 Jul 2012 07:19:04 GMT

I want to ping through ASA. From host on LAN towards host on DMZ. Debug icmp shows that packet is coming from LAN interface to DMZ, but no reply is sent back.

ICMP on ASA5510

Jennifer Halim — Thu, 19 Jul 2012 07:26:49 GMT

Can you please advise what ip address you are trying to ping from and to?

Also does the DMZ host and/or 172.20.4.66 device knows to route back towards the ASA DMZ Interface IP for access towards LAN host?

Can you ping between the 172.20.4.66 and 172.20.4.1 devices through the ASA?

Re: ICMP on ASA5510

gaurav bhardwaj — Thu, 19 Jul 2012 12:25:34 GMT

Hi i am sending topology and running config ,i hope it will help you.

i am able to recieve icmp packet from lan to dmz and dmz to lan

interface GigabitEthernet0

nameif management

security-level 100

ip address 10.1.1.1 255.0.0.0

interface GigabitEthernet1

nameif outside

security-level 0

ip address 20.1.1.1 255.0.0.0

interface GigabitEthernet2

nameif LAN

security-level 50

ip address 172.20.4.2 255.255.255.252

interface GigabitEthernet3

nameif DMZ

security-level 100

ip address 172.20.4.65 255.255.255.252

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list LAN_access_in extended permit icmp any any

access-list LAN_access_out extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_out extended permit ip any any

pager lines 24

mtu management 1500

mtu outside 1500

mtu LAN 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group LAN_access_in in interface LAN

access-group LAN_access_out out interface LAN

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

route LAN 173.1.0.0 255.255.0.0 172.20.4.1 1

route DMZ 174.1.0.0 255.255.0.0 172.20.4.66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.1.1.2 255.255.255.255 management

no snmp-server location

no snmp-server contact

crl configure

Re: ICMP on ASA5510

gaurav bhardwaj — Thu, 19 Jul 2012 13:03:19 GMT

and boss there is also another way to do this

you can create a police map or edit default policy map

policy-map global-policy

class global-class

inspect dns

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

inspect icmp

inspect icmp error