ICMP Inspection

rakeshvelagala · ‎01-19-2016

Hi All,

Please advise on the below

Say for ICMP, we have enabled inspection, how the firewall does the stateful inspection?

From other blogs, it seems the ASA will create a Dynamic ACL with wildcard source address.

Question:

1)If wildcard source address, if I have crafted a packet with correct destination address and it is ICMP reply, will it be successful?

2) What are the attributes the ASA firewall will keep in its stateful session for checking of the return traffic?

Thanks

Philip D'Ath · ‎01-19-2016

I think this applies to "icmp error" inspection, rather than "icmp" inspection, which is different.

(1). Yes. In fact if you are good enough at spoofing packets you could do this for any reply packet of any type.

(2) I don't know. icmp error should be tied to an existing tcp/udp session I would think, while icmp inspection should match an existing outbound icmp packet.

Florin Barhala · ‎02-22-2016

Hello Philip,

I got into a recent small issue with ICMP on ASA. In production on ASA boxes doing mostly VPN (site-to-site or Anyconnect) do you enable or not ICMP inspect?

Do you have any recommedations or best practices for when to enable and when to use default config on ICMP inspect?

Thanks,

Florin.

Philip D'Ath · ‎02-22-2016

I always turn it on. I think it is too valuable as a tool to leave off.