query on icmp

Unanswered Question
Dec 8th, 2008
User Badges:

HI all. My office is using asa 5510 and 3 interfaces namely ext, int and dmz are used. My int interface has higher security than dmz. I have enabled the accesslist to allow int ip subnet to be able to access dmz on icmp. However when i try a pc in int lan and ping to a pc in dmz lan, ping fails. I expect ping to work since asa 5510 is stateful. Do i need to add inspect icmp? Thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 12/08/2008 - 09:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

" Do i need to add inspect icmp?"


Yes, or allow ICMP back in with an access-list applied inbound to the DMZ interface.


Jon

donnie Mon, 12/08/2008 - 18:22
User Badges:

Hi Jon,


Thank you for your reply.

But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance.

Jon Marshall Tue, 12/09/2008 - 10:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance"


Do you mean


1) allow it back in with an access-list


OR


2) enable icmp inspection


With a standard TCP connection a stateful firewall uses the TCP Flags + sequence numbers to keep track of state.


Now some TCP applications are not standard - FTP being a good example. So extra bits of code are added to the firewall to cope with these non-standard applications. Without these extra bits of code the normal stateful code of the a firewall would not be able to adequately secure these applications. These extra bits of code used to be called fixups and are now called inspections.


But ICMP does not have sequence numbers or TCP flags so there is nothing for it to keep track of in that respect. So just like the non-standard TCP code an extra bit of code has been written for ICMP. Note that this is new to the v7.x versions of code. Version 6.x of pix software did not have this.


If you don't want to use the inspection code for ICMP you can do it the old way ie. with ICMP because it is not stateful you need to allow it both ways through the firewall with access-lists.


Jon



donnie Tue, 12/09/2008 - 19:08
User Badges:

Hi Jon,


Thk you for the clear explanation. I have enable icmp inspection to resolve the problem.

Actions

This Discussion