07-08-2011 05:29 AM - edited 03-11-2019 01:56 PM
Hi,
the asa is not generating correct icmp unreachable packets for denied udp connections, the packets will simply be droped (not rejected). For denied tcp connections it sent a correct TCP reset packet.
May it be possible to configure that correct behavior, or is it generaly not possible in fact of some security reasons.
icmp and icmp-error insepctions are on.
Thanks in advance
Lars
07-08-2011 07:15 AM
Hi Lars,
There is no way to have the ASA generate ICMP unreachables for denied UDP packets as it would be a security issue (Firewalls try to be as stealth as possible).
Also, the TCP behavior you describe will olny happen if you have the following configured on your firewall:
asa5505-23(config)# service resetinbound
asa5505-23(config)# service resetoutbound
Regards,
Nicolas
07-11-2011 01:29 AM
Hi Nicolas,
thanks for your fast response. You are right that firewalls should try be as stealth as possible, but they should also be conform to RFC's.
Short example for this beavior. You have an ACL that is blocking, for example, port 123 udp (ntp) for server x. If somebody (bad guy) try to open a connection over the asa to this port, the packet will be droped, he'll get a timeout. When he try's other ports that are open (permit ACL's) he knows very fast that there is a firewall between or the host have it's own firewall.
When the asa would sent the correct icmp unreachable the bad guy feels like the server x is a normal system and there is no running service behind this port. I think that is a better prottection for server x.
Thanks again,
Lars
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide