cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2143
Views
0
Helpful
12
Replies

ASA "icmp" question.

AlexFer
Level 1
Level 1

Hi Experts,

CLI Reference for "icmp" command states "The icmp command controls ICMP traffic that terminates on any ASA interface." As I read it, this is filtering on ingress (ie. incoming ICMP message).

But this example in same document throws me off:

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside
ciscoasa(config)# icmp permit any unreachable outside

Surely, above "echo-reply" should be "echo"?

 

My reason for revisiting is that I'm receiving "%ASA-3-313001: Denied ICMP type=3, code=3 from {obfuscated} on interface external" which I don't expect, since "icmp" is provisioned thus:

5525# show running-config icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo external
icmp permit any external

R's, Alex

12 Replies 12

Panos Bouras
Level 1
Level 1

Hi Alex,

 

Could be due to your ICMP inspect configuration.

Please check the following articles regarding ICMP Inspection on ASA

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/asdm74/firewall/asdm-74-firewall-config/inspect-basic.html#ID-2092-000007d4

and

https://community.cisco.com/t5/security-blogs/cisco-asa-and-icmp-inspection/ba-p/3773485

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

> Could be due to your ICMP inspect

I can’t see how - ICMP Inspect is for through ASA traffic, not to/from ASA.

Marvin Rhoads
Hall of Fame
Hall of Fame

I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

Is the ASA-3-313001 message showing any other information? If not perhaps you could packet capture it - it could be a something other than an icmp echo coming into the ASA interface.

> I would expect the ASA to allow "echo" (not echo-reply). What was the source document?

I quoted example in ASA CLI Reference for command “icmp”.

> Is the ASA-3-313001 message showing any other information?

no - I copied content as stored on SYSLOG server, just with IP address obfuscated. ASA Log Reference explicitly states that 313001 is associated with “icmp” command.

The log message indicates it is being generated due to a type 3 code 3 message. That indicates host unreachable / port unreachable. A basic ping (echo request) would be type 8.

Replies to traceroute initiated from inside your network would include icmp unreachable messages. Those need to be explicitly permitted if you want to allow that function. It would require something like this:

access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit icmp any any unreachable 

...along with the following in a class-map (that's referenced in your policy-map global_policy and applied via service-policy):

 class class-default
  set connection decrement-ttl

 

Surely, log messages 313001 is not associated with deny by access-group? Cisco Log Reference specifically mentions “icmp” command.

No, I'm not saying that message is due to any deny by access group.

The message indicates the ASA received the ICMP message and is discarding it. The ASA will do that for ICMP messages other than the echo requests (type 8) if all you have configured is to allow the ASA to reply to ICMP on the external interface.

I was going beyond the initial question and offering a theory as to why it is discarding ICMP type 3 (unreachable) messages.

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching  “external” interface’s IP address? 

Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?

 

> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?


@AlexFer wrote:

Firstly, do you agree that trigger of log messages 313001 is an ICMP message with destination IP address matching  “external” interface’s IP address? 


Yes I agree.

 


Secondly, if above is true, then either ASA initiated the original request ICMP message that caused that response; or, it’s simply a drive-by ICMP message received (but not initiated) by ASA (perhaps, initiated by nmap)?


It could have been an external scan. More likely it is a response from some external host to an internally-generated traceroute. Either one could cause such input.

 


> if all you have configured is to allow the ASA to reply to ICMP on the external interface.

Are you saying that because of my second line: “icmp permit any external”, log message 313001 the result of ASA not knowing what to do with it and dropping it?


Correct. The command "icmp permit any external" by itself only configures the ASA to send ICMP echo replies in response to ICMP echo requests (ICMP type 8) from any external host. Any other type of incoming ICMP message will generate the 313001 message.

> More likely it is a response from some external host to an internally-generated traceroute. 

this can’t be, because then destination IP address of this (response) ICMP message would that of that internal host that generated the request (as you say, using traceroute) and NOT of ASA’s external interface IP address. In which case, we’d be seeing the deny Log message, pertaining to access-group, and not 313001.

 

It could be so if the ASA was configured to NAT internal hosts to the external interface address.

You've only shared a small snippet of the running-config so I'm positing a common use case.

Granted, but I can assure, no NAT on this ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: