02-22-2011 11:07 PM - edited 03-11-2019 12:54 PM
I have ASA 5510. I know by default ASA does not allow ICMP echo to pass through ASA so the host behind my ASA will not get echo replies.
I used to think that I must create access list to enable the ICMP packets to pass through ASA. Then I found that I can also create a service policy to enable ICMP inspectiom to achieve the same goal.
But why? How does applicaiton inspection on ICMP "make" ASA allow ICMP to pass without any access list configured?
Solved! Go to Solution.
02-22-2011 11:47 PM
ICMP Inspection
An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic Access Control Lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html
UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.
02-22-2011 11:28 PM
You will have to configure access-list to pass through the ICMP ECHO if you already have access-list applied to your interfaces, however, with the "inspect icmp", it will dynamically allow the corresponding ICMP ECHO Reply to pass through without needing to have access-list to allow the ECHO Reply.
Here is more information on ICMP inspection for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986
Hope that helps.
02-22-2011 11:47 PM
ICMP Inspection
An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic Access Control Lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html
UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.
02-23-2011 11:18 AM
Is it true that by default ASA has inpsection engine configured not to allow ICMP echo to pass through. Then I when I enable stateful inspection on ICMP, the inspection engine will start to allow all ICMP types such as echo to pass through ASA?
I am thinking that it is inspection engine that blocks the ICMP packet because I do not see any new access list created after I enable or disable ICMP inspection.
I used to think that enabling stateful inspection of ICMP and allowing ICMP to pass through firewall are two different things. Is it by design Cisco thinks that if you enable stateful inspection on ICMP, it is safe to allow ICMP to pass through ASA?
02-23-2011 04:55 PM
No, not echo, it will allow the respective echo-reply back in if icmp inspection is enabled.
For echo, you still need to allow that through in your access-list as echo will be the first connection through the firewall.
And it would be best if you enable icmp inspection because the firewall will check that only the legitimate reply gets through. With access-list, it will pretty much allow any replies to come through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide