Solved: ASA Implicit Deny

networkwise · ‎03-03-2013

Hi

Im new to the ASA firewall. With no ACL's configured Im trying to ping from a host in the inside to a host on the outside. Pinging from a level 100 to a level 0. This is permitted and I realize that I would have to create an ACL to permit icmp ping traffic (the echo reply to be returned). Is it possible to see the traffic being dropped and see the firwall reference that the traffic is being dropped by the explicit deny. I tried turning logging on and dont see any output there. Is there a debug I can run where I can see the live traffic being dropped?

Andy

Jouni Forss · ‎03-03-2013

Ah,

I actually had an ACL attached to my "outside" interface.

I remove the ACL and checked the ASDM logs again. This is the output without an ACL attached to the "outside" interface and "inspect icmp" disabled

- Jouni

View solution in original post

Jouni Forss · ‎03-03-2013

Hi,

By default if you dont have any ACLs the ICMP Echo will go through but the Echo reply wont be allowed back

To correct this you will either have to

Allow the ICMP Echo reply by creating an ACL to the "outside" interface
Configure "inspect icmp"

policy-map global_policy

class inspection_default

inspect icmp

The above configuration add will automatically alow the ICMP Echo reply back through the firewall without any ACL or ACL rule on the "outside" interface

If you have not enabled this "inspect icmp" or allowed the ICMP Echo reply in your "outside" interface ACL you should still be able to see the ACL drops for the Echo reply in your ASDM monitoring or log buffer.

Heres an example from my own computer and ASA5505

LAN HOST (Without ACL or "inspect icmp")

ASDM VIEW

After configuring ICMP inspection

LAN HOST

ASDM VIEW

Logging level to see the ACL blocks is "notifications"

Logging level to see the connection forming and teardown is "informational"

Hope this helps

- Jouni

Jouni Forss · ‎03-03-2013

Ah,

I actually had an ACL attached to my "outside" interface.

I remove the ACL and checked the ASDM logs again. This is the output without an ACL attached to the "outside" interface and "inspect icmp" disabled

- Jouni

networkwise · ‎03-04-2013

Hello Jouni,

Very helpful, thankyou. Appreciate the level of detail in the response. You provided what I needed and more.

Andy

networkwise · ‎03-04-2013

Hi Jouni,

This raises another question. I added ICMP to the global inspection policy as you had pointed out this is one way to allow the echo reply back through the firewall. And that works.

I notice in the global inspection list telnet or TCP is not listed however I can telnet from inside to outside. I presume this is allowed because I'm going from a higher level interface inside (100) to a lower level interface outside (0).

So that makes me ask the question if everything is permitted then what does the global inspection policy really do?

Andy

Jouni Forss · ‎03-04-2013

Hi,

To my understanding its main purpose is to provide support for certain protocols to work correctly through the ASA or to possibly enforce certain behaviour for them.

One good example is FTP

This is because for FTP connections you open a Control connection first but in addiotion to this the Data connection also has to be formed and because of this ASA has to inspect the FTP traffic to allow the Data connection which naturally isnt part of the already formed connection through the firewall (which return traffic would be automatically be allowed through the firewall)

Same type of inspection operation could apply for example to Voice/Video traffic.

- Jouni

networkwise · ‎03-04-2013

Jouni,

Here is the output from the cli local logging buffer once I added the logging levels.This is what I wanted to see.

Thanks again.

Andy

ciscoasa# %ASA-6-302020: Built outbound ICMP connection for faddr 172.22.78.1/0 gaddr 172.16.100.10/37 laddr 172.16.100.10/37

%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)

%ASA-6-302021: Teardown ICMP connection for faddr 172.22.78.1/0 gaddr 172.16.100.10/37 laddr 172.16.100.10/37ciscoasa# %ASA-6-302020: Built outbound ICMP connection for faddr 172.22.78.1/0 gaddr 172.16.100.10/37 laddr 172.16.100.10/37
%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:172.22.78.1 dst inside:172.16.100.10 (type 0, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 172.22.78.1/0 gaddr 172.16.100.10/37 laddr 172.16.100.10/37