Re: PIX515 -- ICMP, Access Lists and Statefulness?

gavinfoster · ‎03-30-2011

I am using a Pix 515 with IOS 8.0(3).

I have in my access list on the outside interface...........

access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo

access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply

.........in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.

Why doesn't the hit count show up in the ASDM gui display?

Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.

In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?

Hope somebody can put me out of my misery!

Thanks for any replies...........

mirober2 · ‎03-30-2011

Hi Gavin,

For the hitcount problem, please let us know what version of ASDM you are running. There have been some bugs in the past with ACL hit counts in ASDM.

For your 2nd question, the PIX will build a connection for ICMP and treat it statefully if you have the ICMP inspection enabled. You can read about this behavior here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439

"The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic."

You can check if this is enabled by looking at the output of 'show service-policy'. If ICMP inspection is enabled, you'll see a line like this:

Inspect: icmp, packet 1, drop 0, reset-drop 0

The timeout value is applied to ICMP connections (built when the inspection is enabled) that are idle for 2 seconds.

Hope that helps.

-Mike

gavinfoster · ‎03-30-2011

Hi Mike,

Thanks for your reply.

The ASDM is version 6.0(3)

The output of show service-policy is as follows: (all at default settings I presume because I haven't configured anything here)

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 14531839, drop 32518, reset-drop 0
      Inspect: ftp, packet 390592, drop 1760, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 553, drop 0, reset-drop 0
      Inspect: h323 ras _default_h323_map, packet 96, drop 89, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 84982, drop 0, reset-drop 0
      Inspect: esmtp _default_esmtp_map, packet 15627132, drop 17850, reset-drop 0
      Inspect: sqlnet, packet 537, drop 0, reset-drop 0
      Inspect: skinny , packet 280, drop 0, reset-drop 0
      Inspect: sunrpc, packet 16, drop 0, reset-drop 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 5979483, drop 89891, reset-drop 0
      Inspect: netbios, packet 46574, drop 460, reset-drop 0
      Inspect: tftp, packet 20, drop 0, reset-drop 0

If I disable the access rule that permits echo requests inbound, the ping keeps going. However if I stop it and wait a few seconds and then restart it, the pings don't return. So it does look stateful even without the inspection enabled.

Does this make sense?

mirober2 · ‎03-31-2011

Hi Gavin,

There are a handful of bugs in ASDM 6.0 that are related to this. CSCsl30904 and CSCsu00875 are a couple of them. I would suggest trying ASDM 6.4(1) to get the fixes for all the bugs we have available. You can easily upgrade ASDM by downloading it from cisco.com, copying it to the ASA's flash, and then changing the 'asdm image' command.

Hope that helps.

-Mike

mirober2 · ‎03-31-2011

Hi Gavin,

Sorry, please disregard the last post. I forgot you were using a PIX. Try ASDM 6.1(5) instead.

-Mike