Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2319
Views
5
Helpful
4
Replies

ICMP Inspection Not Working

Go to solution
alistair.cowan
Level 1
Level 1

‎11-17-2010 02:33 AM - edited ‎03-11-2019 12:10 PM

Hi Folks,

I've recently deployed a Cisco 5510 Security Plus (8.2.1) to a small company; I've the basics working, but just need to close off some further configurations.  I have a couple of issues, but thought I'd start off with the most basic.

I'm trying to ping from INSIDE (from 10.84.x.x hosts, which are routed via separate router @ 10.84.0.1/192.16.84.10 to the Cisco ASA @ 192.16.84.1) to any machine on the OUTSIDE.

I have ICMP enabled in the default inspection map, however pings are still timing out, and I'm seeing the following in the logging (when pinging news.bbc.co.uk from my own desktop):

4Nov 17 201010:25:5010602310.84.6.37212.58.246.80Deny icmp src inside:10.84.6.37 dst outside:212.58.246.80 (type 8, code 0) by access-group "int_transit_access_in" [0x0, 0x0]

So the ASA is dropping the traffic due to that ACL, despite the fact there's a default ICMP inspection in play.  Is there any reason why the ACL may override the inspection?  If it makes any difference, dynamic NAT in play between the internal 10.84.x.x subnet and the external interface.

I've attached a sanitised copy of my running config.  Apologies if it is difficult to read, or if I haven't provided enough information here; I'm fairly new to Cisco and the running configuration is very much a work in progress.

Many thanks,

Alistair

1 person had this problem
Labels:
75420-cisco5510_sanitised.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-17-2010 02:55 AM

ACL which is assigned to an interface comes first before the default icmp inspection.

ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.

You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.

Hope that makes sense.

View solution in original post

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to alistair.cowan

‎11-17-2010 03:17 AM

No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.

Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.

Here is more information on icmp inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439

Just taking FTP inspection in more details:

When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.

Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-17-2010 02:55 AM

ACL which is assigned to an interface comes first before the default icmp inspection.

ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.

You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.

Hope that makes sense.

Go to solution
alistair.cowan
Level 1
Level 1
In response to Jennifer Halim

‎11-17-2010 03:08 AM

Hi Jennifer,

Thanks for the quick response, much appreciated.

I'm not sure I totally understand this, surely all ASA's will require some sort of ACLs to filter traffic, and therefore ICMP inspection will always be overridden by the ACLs therefore rending inspection useless in the majority of cases?

Or perhaps I misunderstand inspections in general; I thought they should bypass the need for ACLs, but are they actually purely used to allow translations, despite the fact I have a dynamic NAT implemented which I thought would handle it.  Strangely, if I disable the ICMP inspection and instead create 'any icmp' rules in the ACLs, pings do begin to work...

Sorry for the confusion!

Alistair

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to alistair.cowan

‎11-17-2010 03:17 AM

No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.

Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.

Here is more information on icmp inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439

Just taking FTP inspection in more details:

When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.

Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.

0 Helpful

Go to solution
alistair.cowan
Level 1
Level 1
In response to Jennifer Halim

‎11-17-2010 03:57 AM

Excellent, thanks for this Jennifer - makes sense!

Alistair

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card