cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

452
Views
0
Helpful
12
Replies
Highlighted
Beginner

ASA "icmp" question.

Hi Experts,

CLI Reference for "icmp" command states "The icmp command controls ICMP traffic that terminates on any ASA interface." As I read it, this is filtering on ingress (ie. incoming ICMP message).

But this example in same document throws me off:

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
ciscoasa(config)# icmp permit any unreachable outside

Surely, above "echo-reply" should be "echo"?

 

My reason for revisiting is that I'm receiving "%ASA-3-313001: Denied ICMP type=3, code=3 from {obfuscated} on interface external" which I don't expect, since "icmp" is provisioned thus:

5525# show running-config icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo external
icmp permit any external

R's, Alex

12 REPLIES 12
Highlighted
Beginner

Re: ASA "icmp" question.

Highlighted
Beginner

Re: ASA "icmp" question.

> Could be due to your ICMP inspect

I can’t see how - ICMP Inspect is for through ASA traffic, not to/from ASA.

Highlighted
Hall of Fame Guru

Re: ASA "icmp" question.

I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

Is the ASA-3-313001 message showing any other information? If not perhaps you could packet capture it - it could be a something other than an icmp echo coming into the ASA interface.

Highlighted
Beginner

Re: ASA "icmp" question.

> I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

I quoted example in ASA CLI Reference for command “icmp”.

> Is the ASA-3-313001 message showing any other information?

no - I copied content as stored on SYSLOG server, just with IP address obfuscated. ASA Log Reference explicitly states that 313001 is associated with “icmp” command.

Highlighted
Hall of Fame Guru

Re: ASA "icmp" question.

The log message indicates it is being generated due to a type 3 code 3 message. That indicates host unreachable / port unreachable. A basic ping (echo request) would be type 8.

Replies to traceroute initiated from inside your network would include icmp unreachable messages. Those need to be explicitly permitted if you want to allow that function. It would require something like this:

access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 

...along with the following in a class-map (that's referenced in your policy-map global_policy and applied via service-policy):

 class class-default
  set connection decrement-ttl

 

Highlighted
Beginner

Re: ASA "icmp" question.

Surely, log messages 313001 is not associated with deny by access-group? Cisco Log Reference specifically mentions “icmp” command.

Highlighted
Hall of Fame Guru

Re: ASA "icmp" question.

No, I'm not saying that message is due to any deny by access group.

The message indicates the ASA received the ICMP message and is discarding it. The ASA will do that for ICMP messages other than the echo requests (type 8) if all you have configured is to allow the ASA to reply to ICMP on the external interface.

I was going beyond the initial question and offering a theory as to why it is discarding ICMP type 3 (unreachable) messages.

Highlighted
Beginner

Re: ASA "icmp" question.

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching  “external” interface’s IP address? 

Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?

 

> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?

Highlighted
Hall of Fame Guru

Re: ASA "icmp" question.


@AlexFer wrote:

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching  “external” interface’s IP address? 


Yes I agree.

 


Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?


It could have been an external scan. More likely it is a response from some external host to an internally-generated traceroute. Either one could cause such input.

 


> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?


Correct. The command "icmp permit any external" by itself only configures the ASA to send ICMP echo replies in response to ICMP echo requests (ICMP type 8) from any external host. Any other type of incoming ICMP message will generate the 313001 message.

Highlighted
Beginner

Re: ASA "icmp" question.

> More likely it is a response from some external host to an internally-generated traceroute. 

this can’t be, because then destination IP address of this (response) ICMP message would that of that internal host that generated the request (as you say, using traceroute) and NOT of ASA’s external interface IP address. In which case, we’d be seeing the deny Log message, pertaining to access-group, and not 313001.

 

Highlighted
Hall of Fame Guru

Re: ASA "icmp" question.

It could be so if the ASA was configured to NAT internal hosts to the external interface address.

You've only shared a small snippet of the running-config so I'm positing a common use case.

Highlighted
Beginner

Re: ASA "icmp" question.

Granted, but I can assure, no NAT on this ASA.