Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
2
Replies

ASA and ICMP ACLs

Go to solution
robert.horrigan
Level 2
Level 2

‎10-25-2011 09:33 AM - edited ‎03-11-2019 02:42 PM

Hello ASA-Gurus,

   I believe my ignorance is going to shine in this post but any help of my problem would be most appreciated.  I've deployed a number of ASA firewalls and I've come to find that ICMP seems to act differently on each implementation.  Sometimes I only need to allow ICMP inbound from the inside interface and the internal clients can ping the servers just fine.  Other times I have to allow ICMP both in and outbound in order for the clients to be able to ping the servers (as the firewall drops the server's reply traffic without the acl on the outside interface).  Am I going crazy here or do the differenet versions of ASA OS work differently?  Is there a setting that I can enable that will allow me to only have to apply the ICMP ACL on the inbound interface?

/r

Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-25-2011 10:29 AM

Hi Rob,

The answer to your question here is ICMP inspection. When ICMP inspection is disabled, pings are treated as 2 separate flows (one for the echo request and one for the echo reply). This is because ICMP traffic is treated as stateless by default (i.e. we don't track the request and response as a single flow). The inspection is disabled by default on the ASA, so you need to permit both the echo request and echo reply in the ACLs.

When ICMP inspection is enabled, the ASA treats the ICMP traffic as a unique connection. Therefore, when an echo request is seen, the ASA will open a pinhole in the ACL for the return echo reply.

You can enable the ICMP inspection with the following commands:

policy-map global_policy
   class inspection_default
      inspect icmp
service-policy global_policy global

Hope that helps.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-25-2011 10:29 AM

Hi Rob,

The answer to your question here is ICMP inspection. When ICMP inspection is disabled, pings are treated as 2 separate flows (one for the echo request and one for the echo reply). This is because ICMP traffic is treated as stateless by default (i.e. we don't track the request and response as a single flow). The inspection is disabled by default on the ASA, so you need to permit both the echo request and echo reply in the ACLs.

When ICMP inspection is enabled, the ASA treats the ICMP traffic as a unique connection. Therefore, when an echo request is seen, the ASA will open a pinhole in the ACL for the return echo reply.

You can enable the ICMP inspection with the following commands:

policy-map global_policy
   class inspection_default
      inspect icmp
service-policy global_policy global

Hope that helps.

-Mike

0 Helpful

Go to solution
robert.horrigan
Level 2
Level 2
In response to mirober2

‎10-25-2011 10:39 AM

Got it, thanks a lot for the information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card