Solved: How does ICMP can pass the packet tracer from inside to outside even I do not configuring inspection...

Hele Du · ‎06-15-2015

Hi Everyone,

I have a question confusing me .

I did n`t config a icmp inspection , but icmp traffic can pass from inside to outside.

Could anyone help mt with this?

Vibhor Amrodia · ‎06-16-2015

Hi,

This is expected. As you have an "IP any any" acl on the outside interface.

So , what happens is ICMP ping will create two different connections one from inside to outside(allowed because of higher to lower security level) and one for the return traffic from outside which will get allowed using this ACL.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎06-16-2015

Hi,

This is expected. As you have an "IP any any" acl on the outside interface.

So , what happens is ICMP ping will create two different connections one from inside to outside(allowed because of higher to lower security level) and one for the return traffic from outside which will get allowed using this ACL.

Thanks and Regards,

Vibhor Amrodia

Hele Du · ‎06-16-2015

HI Vibhor,

I think it is not a expected.

Although I configured a ACL. This ACL is for outside interface, so I think a ICMP can pass from outside to inside.

I did not configure inspection ICMP or ACL on inside interface.....

The packet tracer is from inside to outside..

Please correct me if i make some mistake.

Hele Du · ‎06-16-2015

Hi Vibhor.

I am clearly now!

The inspection engine is normally used for return traffic.

The security-level high to low is always permit.

The procedure is below:

1. inside to outside traffic is permit (do not need an ACL)

2.outside to inside traffic is permit (even there is not have inspection return traffic, but have an ACL to permit )

How does ICMP can pass the packet tracer from inside to outside even I do not configuring inspection?