topic Re: Why enable ICMP inspection will allow ICMP traffic to pass A in Network Security

Why enable ICMP inspection will allow ICMP traffic to pass ASA ?

cooperchien — Mon, 11 Mar 2019 19:54:56 GMT

I have ASA 5510. I know by default ASA does not allow ICMP echo to pass through ASA so the host behind my ASA will not get echo replies.

I used to think that I must create access list to enable the ICMP packets to pass through ASA. Then I found that I can also create a service policy to enable ICMP inspectiom to achieve the same goal.

But why? How does applicaiton inspection on ICMP "make" ASA allow ICMP to pass without any access list configured?

Re: Why enable ICMP inspection will allow ICMP traffic to pass A

Jennifer Halim — Wed, 23 Feb 2011 07:28:31 GMT

You will have to configure access-list to pass through the ICMP ECHO if you already have access-list applied to your interfaces, however, with the "inspect icmp", it will dynamically allow the corresponding ICMP ECHO Reply to pass through without needing to have access-list to allow the ECHO Reply.

Here is more information on ICMP inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986

Hope that helps.

Re: Why enable ICMP inspection will allow ICMP traffic to pass A

uber_cookie — Wed, 23 Feb 2011 07:47:04 GMT

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic Access Control Lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.

http://www.ssimail.com/Stateful.htm

Re: Why enable ICMP inspection will allow ICMP traffic to pass A

cooperchien — Wed, 23 Feb 2011 19:18:48 GMT

Is it true that by default ASA has inpsection engine configured not to allow ICMP echo to pass through. Then I when I enable stateful inspection on ICMP, the inspection engine will start to allow all ICMP types such as echo to pass through ASA?

I am thinking that it is inspection engine that blocks the ICMP packet because I do not see any new access list created after I enable or disable ICMP inspection.

I used to think that enabling stateful inspection of ICMP and allowing ICMP to pass through firewall are two different things. Is it by design Cisco thinks that if you enable stateful inspection on ICMP, it is safe to allow ICMP to pass through ASA?

Re: Why enable ICMP inspection will allow ICMP traffic to pass A

Jennifer Halim — Thu, 24 Feb 2011 00:55:22 GMT

No, not echo, it will allow the respective echo-reply back in if icmp inspection is enabled.

For echo, you still need to allow that through in your access-list as echo will be the first connection through the firewall.

And it would be best if you enable icmp inspection because the firewall will check that only the legitimate reply gets through. With access-list, it will pretty much allow any replies to come through.