Solved: Denying ICMP on outside interface of ASA

mahesh18 · ‎09-30-2012

Hi Everyone,

On ASA ASDM mode i config the ICMP rule

any outside deny any IP any Mask.

So basically i am denying ICMP on outiside interface of ASA from any IP address and subnet mask.

After doing this here is results

1> From ASA ping to inside interface and outside interface IP address works fine.

Need to know why -- how traffic flows?

2>From ASA any ping to internet does not work.

3>From PC i am able to ping any internet IP address.Need to know why ping works now?

Many thanks

Mahesh

cadet alain · ‎10-01-2012

Hi,

you must differentiate forwarded traffic and traffic destined to or originated by the ASA.

In your case you denied ICMP messages destined to the outside interface,not ICMP messages going through your ASA.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Julio Carvajal · ‎10-01-2012

Hello Mahesh,

Let me try to help here.

icmp any outside : This will deny any traffic to the outside interface of the ASA. The key part is the to.

Now the ICMP echo-reply should be dropped so that is why you are not getting a succesful rate when pinging 4.2.2.2

When i ping from PC attached to inside interface to outside host then the return traffic comes back to outside interface

but it allows that traffic as it is for inside interface not outside interface right ?

A/ In this scenario the answer is no as the traffic needs to traverse the outside interface and you have a deny ICMP there so no matter what it will get denied ( even if you have the inspection on)

Any other question..Sure.. Just remember to rate all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

cadet alain · ‎10-01-2012

Hi,

ok so this is what I thought, you have disabled icmp messages on outside interface( those destined to this interface)

so

1) ping 4.2.2.2 is not working because icmp echo-replies are dropped

2) is not working because the echo-requests are sourced from interface outside but replies are dropped

3)ping to PC works because the requests are sourced from inside and replies are accepted.

The PC when communicating with internet are routed by ASA so the return icmp replies are permitted either by an ACL applied inbound on outside interface or by inspecting ICMP( which is your case)

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Harish Balakrishnan · ‎09-30-2012

Hello Mahesh

Is it possible to share your config ?

regards

Harish

cadet alain · ‎10-01-2012

Hi,

you must differentiate forwarded traffic and traffic destined to or originated by the ASA.

In your case you denied ICMP messages destined to the outside interface,not ICMP messages going through your ASA.

Regards.

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎10-01-2012

Hi Alain.

When you say forwarded traffic is this traffic going from inside of ASA to outside world?

What is traffic originated by ASA ?if you can explain that in detail please?

When i ping from PC attached to inside interface to outside host then the return traffic comes back to outside interface

but it allows that traffic as it is for inside interface not outside interface right ?

When i ping from ASA to outside world then source traffic is originated by outside world and it is denied right?

Regards

MAhesh

cadet alain · ‎10-01-2012

Hi,

post screenshot of what you did exactly or post show run to see what you configured.

Regards.

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎10-01-2012

Hi Alain,

Here is what i did

ciscoasa(config)# icmp deny any outside

ciscoasa(config)# end

ciscoasa# sh run

ciscoasa# sh running-config

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password .vV.3QsyXqiTEfZu encrypted

passwd PnBz02JMnfQN7Ggt encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.11.5 255.255.255.0

!

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

object-group network obj-192.168.1.0

pager lines 30

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 60

dhcpd dns 64.59.135.145

!

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.103.24.10

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0123ac8c2120560e08333cb9edbde873

: end

pinging IP in outside world

ciscoasa# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# debug icmp tra

ciscoasa# debug icmp trace

debug icmp trace enabled at level 1

ciscoasa# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72

Denied ICMP type = 0, code = 0 from 4.2.2.2on interface 2

?ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72

Denied ICMP type = 0, code = 0 from 4.2.2.2on interface 2

?ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72

Denied ICMP type = 0, code = 0 from 4.2.2.2on interface 2

?ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72

Denied ICMP type = 0, code = 0 from 4.2.2.2on interface 2

?ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72

Denied ICMP type = 0, code = 0 from 4.2.2.2on interface 2

?

Success rate is 0 percent (0/5)

pinging inside interface does not work

ciscoasa# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

ICMP echo request from 192.168.11.5 to 192.168.1.1 ID=21179 seq=62282 len=72

?ICMP echo request from 192.168.11.5 to 192.168.1.1 ID=21179 seq=62282 len=72

?

Success rate is 0 percent (0/5)

Ping to PC IP works

iscoasa# ping 192.168.1.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:

ICMP echo request from 192.168.1.1 to 192.168.1.5 ID=51867 seq=57002 len=72

!ICMP echo reply from 192.168.1.5 to 192.168.1.1 ID=51867 seq=57002 len=72

!ICMP echo request from 192.168.1.1 to 192.168.1.5 ID=51867 seq=57002 len=72

ICMP echo reply from 192.168.1.5 to 192.168.1.1 ID=51867 seq=57002 len=72

!ICMP echo request from 192.168.1.1 to 192.168.1.5 ID=51867 seq=57002 len=72

!ICMP echo reply from 192.168.1.5 to 192.168.1.1 ID=51867 seq=57002 len=72

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ICMP echo request from 192.168.1.1 to 192.168.1.5 ID=51867 seq=57002 l

en=72

ICMP echo reply from 192.168.1.5 to 192.168.1.1 ID=51867 seq=57002 len=72

ICMP echo request from 192.168.1.1 to 192.168.1.5 ID=51867 seq=57002 len=72

ICMP echo reply from 192.168.1.5 to 192.168.1.1 ID=51867 seq=57002 len=72

Thanks

MAhesh

Julio Carvajal · ‎10-01-2012

Hello Mahesh,

Let me try to help here.

icmp any outside : This will deny any traffic to the outside interface of the ASA. The key part is the to.

Now the ICMP echo-reply should be dropped so that is why you are not getting a succesful rate when pinging 4.2.2.2

When i ping from PC attached to inside interface to outside host then the return traffic comes back to outside interface

but it allows that traffic as it is for inside interface not outside interface right ?

A/ In this scenario the answer is no as the traffic needs to traverse the outside interface and you have a deny ICMP there so no matter what it will get denied ( even if you have the inspection on)

Any other question..Sure.. Just remember to rate all of my answers.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cadet alain · ‎10-01-2012

Hi,

ok so this is what I thought, you have disabled icmp messages on outside interface( those destined to this interface)

so

1) ping 4.2.2.2 is not working because icmp echo-replies are dropped

2) is not working because the echo-requests are sourced from interface outside but replies are dropped

3)ping to PC works because the requests are sourced from inside and replies are accepted.

The PC when communicating with internet are routed by ASA so the return icmp replies are permitted either by an ACL applied inbound on outside interface or by inspecting ICMP( which is your case)

Regards.

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎10-03-2012

Hi alain & julio,

Thanks for your answer.

Best regards

Mahesh