There are many articles out there about ICMP and PING. This article solely focuses on ICMP traffic passing through Adaptive Security Appliance. With the default configurations ASA will allow a host to ping the interface which is connected to. However, ping from an internal host to the internet would normally fail.
By default, traffic from the Higher Security Zone to (Inside) Lower Security Zone (Outside) is allowed without any Access Lists. Return traffic from Outside to Inside will be allowed through because the traffic was initiated from Inside.
For example, a client accessing a web page on the Internet. When a packet arrives in the Inside interface from the client, the packet is categorized into a flow based on five-tuple which contains the source IP, Source Port, Destination IP, Destination Port, and the Layer 4 protocol. ASA then maintains a state table to track these connections/flows. Based on this state table the return traffic from the web server is allowed through the firewall.
Back to ASA and Ping, ping is part of the ICMP protocol suite and handled differently compared to TCP/UDP. ASA doesn't track ICMP sessions/connections, making it stateless. Because ICMP packets do not themselves contain any connection information. Being stateless, ASA will let the ICMP echo request from Inside to Outside, but it will not allow the ICMP echo reply from Outside to Inside.
Cisco ASA can track ICMP sessions by enabling ICMP Inspection Engine. This results in an ICMP session being tracked, which in turn allows the ICMP reply packets to pass through from Outside to Inside. ICMP inspection can also dynamically allow time-exceeded and destination unreachable messages to pass through the Outside interface. (ICMP traffic has to be initiated from Inside to start with)
Below you will find the ICMP inspection configuration.
So now when the client tries and ping the web server, the ICMP echo-request packet is allowed through. ASA now starts to track this ICMP session.
Finally, when the web server sends echo-reply, ASA determines that this packet is part of an existing session and allows the packet through.
ICMP Inspection is disabled. Ping from VPC4 to VPC5 would fail.
ASA will let the echo request passes through the ASA however, ICMP reply from VPC5 to VPC4 is denied.
Here are some ACLs on my switch , but some of them are useless I want to clear them up ,but I'm not sure which one is useless , when I show access-list I can see some are match ！ I just want to make sure is there any better way to do that ? or Is th...
I was able to import a PKI trustpoint using the crypto pki trustpool import terminal command and copy and paste the pem file. However, when I try to import the same file from flash:. I get an error: (config)#crypto pki trustpool import url flash:myce...
Hello,we have a strange problem with an ASA5510:After an update to version 9.1.7 all ports are down.What we have done exactly:We were on version 8.3, first updated to version 9.0 and then to 9.1.7. After that everything was ok.After that we had to restart...
I'm working on a PoC design that includes ISE (version 2.7) and APIC-DC (version 4.2) Policy Plane integration for TrustSec. Per the ACI Settings page in ISE, ACI version 3.2 and above uses the Kafka method for integration but the only documentation I can...
Hello everybody I made a VPN ikv2 but does not up phase 1, I think a Conver all but no work. I was talking to my networking friends and the only different in them configuration and mine its this My Config group-policy...