cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

343
Views
0
Helpful
3
Replies
Highlighted
Participant

ICMP Inspection

Hi All,

Please advise on the below

Say for ICMP, we have enabled inspection, how the firewall does the stateful inspection?

From other blogs, it seems the ASA will create a Dynamic ACL with wildcard source address. 

Question:

1)If wildcard source address, if I have crafted a packet with correct destination address and it is ICMP reply, will it be successful?

2) What are the attributes the ASA firewall will keep in its stateful session for checking of the return traffic?

Thanks

Everyone's tags (1)
3 REPLIES 3
Highlighted
Advisor

I think this applies to "icmp

I think this applies to "icmp error" inspection, rather than "icmp" inspection, which is different.

(1). Yes.  In fact  if you are good enough at spoofing packets you could do this for any reply packet of any type.

(2) I don't know.  icmp error should be tied to an existing tcp/udp session I would think, while icmp inspection should match an existing outbound icmp packet.

Highlighted
Frequent Contributor

Hello Philip,

Hello Philip,

I got into a recent small issue with ICMP on ASA. In production on ASA boxes doing mostly VPN (site-to-site or Anyconnect) do you enable or not ICMP inspect?

Do you have any recommedations or best practices for when to enable and when to use default config on ICMP inspect?

Thanks,

Florin.

Highlighted
Advisor

I always turn it on.  I think

I always turn it on.  I think it is too valuable as a tool to leave off.