11-17-2010 02:33 AM - edited 03-11-2019 12:10 PM
Hi Folks,
I've recently deployed a Cisco 5510 Security Plus (8.2.1) to a small company; I've the basics working, but just need to close off some further configurations. I have a couple of issues, but thought I'd start off with the most basic.
I'm trying to ping from INSIDE (from 10.84.x.x hosts, which are routed via separate router @ 10.84.0.1/192.16.84.10 to the Cisco ASA @ 192.16.84.1) to any machine on the OUTSIDE.
I have ICMP enabled in the default inspection map, however pings are still timing out, and I'm seeing the following in the logging (when pinging news.bbc.co.uk from my own desktop):
4 | Nov 17 2010 | 10:25:50 | 106023 | 10.84.6.37 | 212.58.246.80 | Deny icmp src inside:10.84.6.37 dst outside:212.58.246.80 (type 8, code 0) by access-group "int_transit_access_in" [0x0, 0x0] |
So the ASA is dropping the traffic due to that ACL, despite the fact there's a default ICMP inspection in play. Is there any reason why the ACL may override the inspection? If it makes any difference, dynamic NAT in play between the internal 10.84.x.x subnet and the external interface.
I've attached a sanitised copy of my running config. Apologies if it is difficult to read, or if I haven't provided enough information here; I'm fairly new to Cisco and the running configuration is very much a work in progress.
Many thanks,
Alistair
Solved! Go to Solution.
11-17-2010 02:55 AM
ACL which is assigned to an interface comes first before the default icmp inspection.
ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.
You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.
Hope that makes sense.
11-17-2010 03:17 AM
No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.
Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.
Here is more information on icmp inspection for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439
Just taking FTP inspection in more details:
When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.
Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.
11-17-2010 02:55 AM
ACL which is assigned to an interface comes first before the default icmp inspection.
ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.
You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.
Hope that makes sense.
11-17-2010 03:08 AM
Hi Jennifer,
Thanks for the quick response, much appreciated.
I'm not sure I totally understand this, surely all ASA's will require some sort of ACLs to filter traffic, and therefore ICMP inspection will always be overridden by the ACLs therefore rending inspection useless in the majority of cases?
Or perhaps I misunderstand inspections in general; I thought they should bypass the need for ACLs, but are they actually purely used to allow translations, despite the fact I have a dynamic NAT implemented which I thought would handle it. Strangely, if I disable the ICMP inspection and instead create 'any icmp' rules in the ACLs, pings do begin to work...
Sorry for the confusion!
Alistair
11-17-2010 03:17 AM
No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.
Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.
Here is more information on icmp inspection for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439
Just taking FTP inspection in more details:
When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.
Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.
11-17-2010 03:57 AM
Excellent, thanks for this Jennifer - makes sense!
Alistair
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide