Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
5
Helpful
1
Replies

ICMP Inspection and Extended Access-List

tjreeddoc
Level 1
Level 1

‎02-19-2015 10:49 AM - edited ‎03-11-2019 10:31 PM

I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?

 

  1. What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:

     

    policy-map global_policy

    class inspection_default

    inspect_icmp

     

    However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:

     

    access-list inbound permit icmp any any echo-reply

    access-list inbound permit icmp any any source-quench

    access-list inbound permit icmp any any unreachable 

    access-list inbound permit icmp any any time-exceeded

    access-group inbound in interface outside

     

    Will the PING complete?

     

    Thank you,

     

    T.J.

Labels:
0 Helpful
1 Reply 1

ditrizna1
Level 1
Level 1

‎04-20-2015 04:09 AM

Hi, T.J.

 

If problem is still actual, I can answer you this question.

 

Let's see situation without ICMP inspection enabled:

The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.

 

In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.

 

Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.

If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.

 

P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card