Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
5
Helpful
5
Replies

ASA: Strange behaviour of ICMP echo replies through a S2S tunnel

swscco001
Level 1
Level 1

‎10-19-2021 07:52 AM

Hello everybody,

 

today I have an issue regarding VPN filters for site-to-site VPNs
at a ASA5525 running OS rel. 9.12(4)26.

 

The customer has several site-to-site VPN tunnels and the issue occur
with each of them so I assume the reason is located in the general
configuration.

 

In the VPN filter ACL IPSEC-MediaCologne is currently allowing the
remote users to ping and RDP local hosts (see attached small screen dump).

 

Now when he ping from a local host to a remote host he gets only ICMP
replies when he allows the remote users to ping local users by the
first VPN filter entry!

 

I thought that when:

...
policy-map global_policy
class inspection_default
...
inspect icmp
...

is in the configuration ICMP will be treated similar as a stateful protocol
so I don't need think about the return traffic.

 

I don't know why we need a VPN filter entry for allowing the remote users
to ping us to make the ASA able to let pass ICMP replies for our pings to
the remote hosts.

 

I attach the 'sh run all' output and perhaps someone has an explanation
for this behaviour.

 

Thanks a lot!

 

 

 

Bye

R.

 

Preview file
84 KB
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎10-19-2021 03:01 PM

I do not see any reason why that should be allowed.  The only reason I can think of is if dynamic IPs were used at the remote office to send periodic ping to keep the tunnel up.  But that is not the case in your setup.  Is there perhaps any equipment at the remote site that needs to ping over the VPN, perhaps to check if something is reachable?

You could remove it and see who starts screaming

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

swscco001
Level 1
Level 1
In response to Marius Gunnerud

‎10-19-2021 11:10 PM

Hi Marius,

 

thanks for your reply!

The customer want to be able to ping remote hosts to check their availablility and

not to bring up the tunnel. The remote users are usually not use ping.

The local customer starts a permanent ping to a remote host and when he deactivate

the first VPN-Filter entry for ICMP he gets no reply anymore. 

In a L2L VPN Filter ACLs you ALWAYS define the source address as the "remote network".

So it looks like he needs to allow ICMP echo replies by an ACL entry even if 

inspect icmp

is enabled.

This is not logical and would not be expected from a stateful firewall.

 

Perhaps someone can explain this to me and the customer.

Thanks a lot!



Bye

R.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to swscco001

‎10-25-2021 03:45 AM

It actually is logical.  the inspect icmp is for through the box traffic.  That is to say traffic that enters interface A and gets checked by the interface ACL, and this is where the inspect icmp is checked.  L2L VPN is to the box traffic.  By default, VPN traffic bypasses the interface ACL so the inspect icmp will never be used.  You would need to disable sysopt connection permit-vpn function, this will tell the ASA to check all VPN traffic against the interface ACL and you should now see that inspect icmp works.  If you decide to change to this type of setup, remember to remove the VPN filter configuration.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

swscco001
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2021 05:00 AM

Hi Marius,

 

when I disable sysopt connection permit-vpn a lot of trouble with other tunnels will be the consequence . I know this from other cases.

 

The adminstrator wants just ping from a local protected host a host in the remote protected network though a present S2S-Tunnel and need to allow the reply traffic in the VPN filter ACL or disable sysopt connection permit-vpn therefore? This is hard to believe.

I had a chat with the customer about this. Within a 2S2 tunnel when sysopt connection permit-vpn

is anabled reply traffic should be allowed without any entry in the VPN filter ACL and treated in a

stateful firewall style.

Would it be the same when he use SSH instead of ping, so it is an exception at ICMP in comparison

with TCP?

The customer is asking: Should this be the behaviour of a stateful firewall?

 

Thanks for your effort!

 

 

 

Bye

R.

Marius Gunnerud
VIP
VIP
In response to swscco001

‎11-04-2021 02:33 AM

Compairing SSH to ICMP is like compairing apples and oranges.  They are not the same.  SSH is connection oriented while ICMP is connectionless.  This is why we need the inspect icmp to allow ICMP replies between interfaces on the firewall. 

That being said, the inspect icmp needs to see the echo request on one interface, and then monitors for the echo reply on another interface (or the same interface in the case of hairpinning).  The problem with VPN is that the traffic is encrypted on the ingress interface, so the ASA does not see the initial ICMP request and is not able to check for the reply.  This is the reason you would need to allow the ICMP reply when coming through the VPN and not being able to disable sysopt connection permit-vpn

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card