01-19-2016 11:00 PM - edited 03-12-2019 12:10 AM
Hi All,
Please advise on the below
Say for ICMP, we have enabled inspection, how the firewall does the stateful inspection?
From other blogs, it seems the ASA will create a Dynamic ACL with wildcard source address.
Question:
1)If wildcard source address, if I have crafted a packet with correct destination address and it is ICMP reply, will it be successful?
2) What are the attributes the ASA firewall will keep in its stateful session for checking of the return traffic?
Thanks
01-19-2016 11:33 PM
I think this applies to "icmp error" inspection, rather than "icmp" inspection, which is different.
(1). Yes. In fact if you are good enough at spoofing packets you could do this for any reply packet of any type.
(2) I don't know. icmp error should be tied to an existing tcp/udp session I would think, while icmp inspection should match an existing outbound icmp packet.
02-22-2016 01:30 PM
Hello Philip,
I got into a recent small issue with ICMP on ASA. In production on ASA boxes doing mostly VPN (site-to-site or Anyconnect) do you enable or not ICMP inspect?
Do you have any recommedations or best practices for when to enable and when to use default config on ICMP inspect?
Thanks,
Florin.
02-22-2016 01:49 PM
I always turn it on. I think it is too valuable as a tool to leave off.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide