Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
1
Replies

ICMP

The_guroo_2
Level 2
Level 2

‎08-29-2013 10:55 PM

Hi Just want to know the rule of thumb about ICMP

In ASA post 8.3 all ICMP is blocked is that right.......i know that ICMP is blocked from high security level to lower security level....is that right for sake of example my inside is 100 and outside is 0 so by default if i have to ping yahoo.com i would not be bale to do it????

this glocal inspection stuff default where you add icmp will that makeit work or do i have to do access-list......secondly what is teh rule from low security to high security for icmp.....if i have a VPN and my client get IP from the pool which i have specified will that be able to ping my inside interface otr host on insdie interface or do i have to add access list???

Thanks

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎08-29-2013 11:25 PM

For ICMP (where we only look at ping now) you have to differentiate three different scenarios:

1) Ping to the ASA
Is actually always allowed unless you restrict it. There was a release long time ago (was it in the 6-releases? I don't remember) that denied ping on the outside interface, but that was an exception.

2) Ping through the ASA without VPN
Here, Ping is a a packet like anything else. It has to be inspected to automatically allow return-traffic. This inspection is on by default for TCP and UDP but not for ICMP. The way to allow it is to enable the inspection and not to use an ACL-entry for that. The problem with the ACL-approach is that the echo-replys were also allowed if there was no initiating request. The initial packet of course needes to be allowed by ACL or by security-level.

3) Ping through a VPN
Here by default all traffic is allowed what is coming from the VPN and we have two ways to control that. The more modern way is to use VPN-filter with the problem that these can not be configured per direction. The old way (which was the only way years ago on the PIX) was that every new session that came from the VPN was compared against the ACL on the VPN-terminating interface where it had to be allowed. Also today it is possible to restore this old behaviour.


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents