facts about ICMP on ASA

The_guroo_2 · ‎09-02-2013

guiys can comeone tell me few things abt ICMP.....in post ASA 8.4

1- is ICMP allowed to intyerface by defaukt

2- What is the policy-map icmo thing we add for inspection what is the reason for doing that , does it allow in to tout or out to in

3- why cant we ping internal insdie interface (if i have a vpn client why cant it ping the insdioe interface of firewall is it blocked ?

4- What is icmpo statefull insopection allowing ??

Just really confused abt the topic

Jouni Forss · ‎09-02-2013

Hi,

1. Yes, the default setting is that ICMP is allowed to any ASA interface

2. We typically add ICMP Inspection which is NOT enabled by default. The ICMP Inspection essentially makes it possible for the ASA to track the ICMP state/connection in the same way as with TCP/UDP. So it will essentially for example see an ICMP Echo from LAN to WAN and knows to let through a matching ICMP Echo Reply from WAN to LAN. It also makes sure that only one reply is allowed.

3. For this to work you need a configuration "management-access inside". After this you should be able to ICMP the "inside" interface IP address and also connect to it for management purposes. Provided ofcourse that you have other configurations related to VPN and NAT for example to make this possible.

4. The answer to this is pretty much the same as in 2.). It enables the ASA to keep track of the ICMP messages through the firewall and allow the approriate reply messages through the firewall without a separate ACL allowing the return direction.

- Jouni