03-24-2020 04:31 PM
I have a doubt regarding syslog messages output, I can see the tear down icmp connection stating
the icmp pings are sent to the destination on port 25.
Mar 11 2020 16:04:35: %ASA-6-302021: Teardown ICMP connection for faddr 10.35.104.12/0 gaddr 10.50.11.200/25 laddr 10.50.11.200/25
But I did a packet capture and saw the same packets and I couldn't see the any information about port because obviously ICMP doesn't support ports.
Solved! Go to Solution.
03-25-2020 09:02 AM
Hi,
If the ASA from which the posed log was collected does not do NAT, those numbers are derived/copied over from the "Sequence Number" in the ICMP header; this number changes with each packet being sent.
Regards,
Cristian Matei.
03-25-2020 04:40 AM
Hi,
Those are not port numbers. ICMP has to be NAT-PT capable, so how this was achieved (only for supported ICMP message types, like Query and Error), a "pseudo port-number" is selected for the PAT table, based on the Query Identifier from ICMP header or the Embedded datagram from ICMP payload. If you're curious, read more on RFC 5508.
Regards,
Cristian Matei.
03-25-2020 08:27 AM
I got a better idea on the need for icmp pat compatibility but the firewall which generated this logs is an internal log and also there is no nat rules of any kind configured.
03-25-2020 09:02 AM
Hi,
If the ASA from which the posed log was collected does not do NAT, those numbers are derived/copied over from the "Sequence Number" in the ICMP header; this number changes with each packet being sent.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide