New config add ACL for ICMP and lose implicit ACL

Unanswered Question
Mar 29th, 2007

Yes, I am a newbie... I have the initial configuration of the ASA5520 finished and started adding some ACL. I can access lower security levels just fine but I want everybody to be able to ping everybody else. I tried:

icmp permit 0.0.0.0 0.0.0.0 inside

icmp permit 0.0.0.0 0.0.0.0 dmz

but that doesn't do what I need. I tried:

access-list Inside_access_in extended permit icmp any any

access-list DMZ_access_in extended permit icmp any any

access-group DMZ_access_in in interface DMZ

access-group Inside_access_in in interface Inside

It worked but I lost the ability to reach a lower security interface with the implicit rule. I tried to manually create the implicit rules but couldn't. What am I doing wrong?

Do I have to individually create every ACL for every device I want to ping?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
vitripat Thu, 03/29/2007 - 12:59

Hey There ..

Using ACLs to permit ICMP through firewall was old efficient way. However, now we can inspect icmp traffic. So if a host on higher security initiates a ping to a host on lower security interface, this will be inspected by firewall and we dont need to use acl to specifically permit the ICMP-reply.

By default, you should have following configuration on your ASA-

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Thus, now to enable stateful ICMP inspection, you need to implement following commands-

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

"inspect icmp error" will also allow traceroute to pass through.

Please note that using this configuration will not allow hosts on the lower security to ping hosts on the higher security interface of firewall.

For this, we would need to statically map the hosts on higher security to lower security interface and then use the ACL to permit the traffic on the lower security level interface.

Hope this helps. Let me know if you need further clarification on this.

Regards,

Vibhor.

franktclark Thu, 03/29/2007 - 14:03

There is some kind of major problem because none of those items appear in my ASA 7.0(6) configuration. I do most of my configuration with the ASDM. What am I missing?

vitripat Thu, 03/29/2007 - 14:16

It seems that default configuration might have been erased and then ASA was reconfigured. However, this is not a major issue. Only those inspect commands should be in for which traffic pertaining to protocols specifed exists in your network and passes through ASA.

What you can do is, simply add following commands using command line interface-

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

service-policy global_policy global

Note: You may remove some of the inspect commands if the protocols specified do not exist in your network.

Hope that helps.

Regards,

Vibhor.

franktclark Thu, 03/29/2007 - 14:25

OK. That will take care of pinging from higher to lower security. Do I understand then that every device I have a static to access from lower to higher security will require an individual ACL to ping it? That still doesn't help because when I create an ACL for a single device I lose the implicit rule for the whole interface. What am I doing wrong?

vitripat Thu, 03/29/2007 - 15:26

Let me illustrate this with an example.

On the DMZ lets say you have a network 192.168.2.0/24.

On inside network is 192.168.1.0/24.

Now you want dmz network to be able to ping 192.168.1.10 & 192.168.1.20. But DMZ should only be able to ping these two hosts only on the inside, they shouldnt be able to access anything else on inside. DMZs outbound connectivity should work fine. Here are two of the ways by which this can be achieved-

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

global (dmz) 1 interface

--Above commands are only to allow outbound access--

static (inside,dmz) 192.168.1.10 192.168.1.10

static (inside,dmz) 192.168.1.20 192.168.1.20

access-list dmz_in permit icmp any any

access-list dmz_in deny ip any 192.168.1.0 255.255.255.0

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

OR

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Rest all commands remain same.

Hope this helps.

Regards,

Vibhor.

David White Thu, 03/29/2007 - 19:36

If you don't want to translate IP addresses, then you don't need the static commands as "no nat-control" is enabled by default. So, you only need to create ACLs on the lower security level interfaces to permit the traffic you want. All ACLs will have an implicit 'deny ip any any' at the bottom of them (just like on IOS).

David.

franktclark Fri, 03/30/2007 - 07:47

This will take a lot of ACL because I have 5 interfaces but if that is what it takes to get the job done then that is what I need to do.

It appears that with this method I don't need ICMP state inspection. I suspect that removing it reduces the CPU burden of the ASA but that may not really matter.

Actions

This Discussion