ICMP Inspect Bypass

iec1128759 · ‎04-04-2023

Tengo un switch que esta monitoreado via ping e snmp. Sobre la vlan 1 y recientemente configure una vlan 2 nueva para monitorear.

Al validar localmente alcanzo las dos ip pero no reemplace el default-gateway en el switch sigue estando sobre la vlan 1 el switch esta en capa 2. al momento de validar en el asa observo que la conexion se establece, sin embargo cuando el switch contesta con la ip nueva se regresa por la vlan1. el asa no ve una conexion por esta interface y tira el paquete. Necesito saber una forma de realizar un bypass de icmp para que me pueda contestar el switch con la ip nueva. Sin deshabilitar el inspect icmp.

Saludos.

anexo error

----------------------------------

ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the ASA or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the ASA.

An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

-----------------------------------------------------------------

Flavio Miranda · ‎04-04-2023

Hello

Question, it is required to keep vlan 1 on the switch? Why dont you keep only vlan 2 ?

Do you have ICMP inspection on the ASA?

TEST-ASA(config)# policy-map global_policy
TEST-ASA(config-pmap)# class inspection_default
TEST-ASA(config-pmap-c)# inspect icmp

iec1128759 · ‎04-04-2023

Question, it is required to keep vlan 1 on the switch? Why dont you keep only vlan 2 ?

Because, before change on monitoring tool, I need rechable the new ip. We are talking about 500 switch.

Yes, I have inspection active on global policy.

Regards.

MHM Cisco World · ‎04-04-2023

There is way to bypass icmp inspection but I need to check it first'

The way is using specific acl for inspection not use global defualt one.

iec1128759 · ‎04-05-2023

I applied

------------------------

access-list passInside extended permit tcp host 192.168.50.1 host 192.168.3.1
access-list passInside extended permit icmp host 192.168.50.1 host 192.168.3.1
!
class-map passTCP
match access-list passInside
!
policy-map passInsTrue
class passTCP
set connection advanced-options tcp-state-bypass
!
service-policy passInsTrue interface Inside

access-list passVlan1 extended permit tcp host 192.168.3.1 host 192.168.50.1
access-list passVlan1 extended permit icmp host 192.168.3.1 host 192.168.50.1
!
class-map passTCPV1
match access-list passVlan1
!
policy-map passV1True
class passTCPV1
set connection advanced-options tcp-state-bypass

service-policy passV1True interface vlan1

------------------------------------------------------

Currently I can already open telnet or ssh to the swtich. however the ping command does not respond to me.

if I disable the inspect if I reach it. but for best practices it is recommended not to disable it

Regards.