topic Re: inspecting ICMP on ASA in Network Security

inspecting ICMP on ASA

mestasew1 — Fri, 21 Feb 2020 16:27:45 GMT

Hi Everyone,

I am in the process of setting up ASA for home lab . In the process have attempted to configure inspection of icmp traffic and was following a doucument I got online. At a point, when enter

class-map type inspect

command it does take icmp or show icmp as an option ( see attached screen capture).

Please share if is there is other way of doing achieving this or the problem ?

Re: inspecting ICMP on ASA

Rob Ingram — Mon, 12 Nov 2018 21:18:31 GMT

Hi,
Try this:-

policy-map global_policy
class inspection_default
inspect icmp

or "fixup protocol icmp"

Re: inspecting ICMP on ASA

mkazam001 — Mon, 12 Nov 2018 21:19:41 GMT

policy-map global_policy
class inspection_default
inspect icmp

regards, mk

please rate if helpful or solved 🙂

Re: inspecting ICMP on ASA

mestasew1 — Mon, 12 Nov 2018 22:34:10 GMT

Hi RJI,

I thank you for your prompt response. I see now the command you provided helped to list icmp as one of the default inspected protocol. but I could not still get a ping response from a device connected to the outside interface. I can get a response from the outside device when ping from the ASA itself but if clients connected to inside interface the ping will time out.

1. The outside router is directly connected to the ASA with outside interface with the same ip address space

2. My inside interface is configured with different subnet with dhcp enabled with gateway of the inside interface address

3. The route is configured to point to forward unknown network (0/0) traffic to the outside router.

So do you think this is ICMP issue with firewall or another problem ?

Re: inspecting ICMP on ASA

mestasew1 — Mon, 12 Nov 2018 22:37:08 GMT

Thank you for your response. is there a way to verify the configuration other than pinging devices?

Re: inspecting ICMP on ASA

Rob Ingram — Mon, 12 Nov 2018 22:43:31 GMT

What network are you sourcing traffic from, the inside network? Are you natting the traffic on the outside interface?
If you are not natting, does the other device have a route back to that network?

Run packet-tracer and upload the output.

E.g. - packet-tracer input inside icmp <src ip> 8 0 <dst ip>

Re: inspecting ICMP on ASA

k.nandakumar — Tue, 13 Nov 2018 03:43:13 GMT

Check 1: On ASA, make sure you have ACL on Outside interface permitting ICMP from router towards inside.

Check 2: reverse route to inside network on router, if NAT is not configured on the ASA.

or Configure NAT/PAT for inside network on ASA.

Check 3: After above Check 1 & 2. run ping and do packet capture on outside interface of ASA and inside interface of router.

if above doesn't resolve, can you past ASA and router config and packet capture of Outside interface ASA and Inside interface of Router?

Re: inspecting ICMP on ASA

mestasew1 — Tue, 13 Nov 2018 18:53:33 GMT

Mk,

I thank you for your suggestion.

1 . there is no any ACL applied . the idea is to use the icmp inspection rule with out an acl.
2. NAT is not used and configured.

let me try a couple of suggested settings and will share results.

Re: inspecting ICMP on ASA

mestasew1 — Tue, 13 Nov 2018 19:17:56 GMT

RJI,
Yes,I am sourcing the traffic from inside network. attempting to reach network connected on the outside interface of the Firewall . this outside network segment is assigned with private IP address. I am not using NAT at this point . However this device is a gateway for my internet.
It can be considered that the firewall is between two local area networks.
I will share the results of the packet tracer .

Re: inspecting ICMP on ASA

mestasew1 — Thu, 15 Nov 2018 02:57:41 GMT

please see the results of the packet tracer. Can we say something from this ? I donot say any drop
XXXX# packet-tracer input inside icmp 192.168.7.68 8 0 192.168.0.253
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.253 using egress ifc outside:conisp1
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 78, packet dispatched to next module
Result:
output-interface: conisp1
output-status: up
output-line-status: up
Action: allow

Re: inspecting ICMP on ASA

k.nandakumar — Thu, 15 Nov 2018 14:15:54 GMT

Running a packet capture on Router would show if it receives packet or not.