Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2280
Views
0
Helpful
3
Replies

syslog messge states icmp uses ports.

Go to solution
AlfredSachinP52515
Level 1
Level 1

‎03-24-2020 04:31 PM

I have a doubt regarding syslog messages output, I can see the tear down icmp connection stating 

the icmp pings are sent to the destination on port 25.

 

Mar 11 2020 16:04:35: %ASA-6-302021: Teardown ICMP connection for faddr 10.35.104.12/0 gaddr 10.50.11.200/25 laddr 10.50.11.200/25

 

But I did a packet capture and saw the same packets and I couldn't see the any information about port because obviously ICMP doesn't support ports.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎03-25-2020 09:02 AM

Hi,

  

    If the ASA from which the posed log was collected does not do NAT, those numbers are derived/copied over from the "Sequence Number" in the ICMP header; this number changes with each packet being sent. 

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-25-2020 04:40 AM

Hi,

 

   Those are not port numbers. ICMP has to be NAT-PT capable, so how this was achieved (only for supported ICMP message types, like Query and Error), a "pseudo port-number" is selected for the PAT table, based on the Query Identifier from ICMP header or the Embedded datagram from ICMP payload. If you're curious, read more on RFC 5508.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
Alfredcfc
Level 1
Level 1
In response to Cristian Matei

‎03-25-2020 08:27 AM

I got a better idea on the need for icmp pat compatibility but the firewall which generated this logs is an internal log and also there is no nat rules of any kind configured.

 

 

 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎03-25-2020 09:02 AM

Hi,

  

    If the ASA from which the posed log was collected does not do NAT, those numbers are derived/copied over from the "Sequence Number" in the ICMP header; this number changes with each packet being sent. 

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card