ASA not sending reject packtes with correct icmp unreachable

itdepteva · ‎07-08-2011

Hi,

the asa is not generating correct icmp unreachable packets for denied udp connections, the packets will simply be droped (not rejected). For denied tcp connections it sent a correct TCP reset packet.

May it be possible to configure that correct behavior, or is it generaly not possible in fact of some security reasons.

icmp and icmp-error insepctions are on.

Thanks in advance

Lars

Nicolas Fournier · ‎07-08-2011

Hi Lars,

There is no way to have the ASA generate ICMP unreachables for denied UDP packets as it would be a security issue (Firewalls try to be as stealth as possible).

Also, the TCP behavior you describe will olny happen if you have the following configured on your firewall:

asa5505-23(config)# service resetinbound 
asa5505-23(config)# service resetoutbound

Regards,

Nicolas

itdepteva · ‎07-11-2011

Hi Nicolas,

thanks for your fast response. You are right that firewalls should try be as stealth as possible, but they should also be conform to RFC's.

Short example for this beavior. You have an ACL that is blocking, for example, port 123 udp (ntp) for server x. If somebody (bad guy) try to open a connection over the asa to this port, the packet will be droped, he'll get a timeout. When he try's other ports that are open (permit ACL's) he knows very fast that there is a firewall between or the host have it's own firewall.

When the asa would sent the correct icmp unreachable the bad guy feels like the server x is a normal system and there is no running service behind this port. I think that is a better prottection for server x.

Thanks again,

Lars