Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
4
Replies

query on icmp

donnie
Level 1
Level 1

‎12-08-2008 09:16 AM - edited ‎03-06-2019 02:51 AM

HI all. My office is using asa 5510 and 3 interfaces namely ext, int and dmz are used. My int interface has higher security than dmz. I have enabled the accesslist to allow int ip subnet to be able to access dmz on icmp. However when i try a pc in int lan and ping to a pc in dmz lan, ping fails. I expect ping to work since asa 5510 is stateful. Do i need to add inspect icmp? Thks in advance.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎12-08-2008 09:18 AM

" Do i need to add inspect icmp?"

Yes, or allow ICMP back in with an access-list applied inbound to the DMZ interface.

Jon

0 Helpful

donnie
Level 1
Level 1
In response to Jon Marshall

‎12-08-2008 06:22 PM

Hi Jon,

Thank you for your reply.

But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to donnie

‎12-09-2008 10:02 AM

"But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance"

Do you mean

1) allow it back in with an access-list

OR

2) enable icmp inspection

With a standard TCP connection a stateful firewall uses the TCP Flags + sequence numbers to keep track of state.

Now some TCP applications are not standard - FTP being a good example. So extra bits of code are added to the firewall to cope with these non-standard applications. Without these extra bits of code the normal stateful code of the a firewall would not be able to adequately secure these applications. These extra bits of code used to be called fixups and are now called inspections.

But ICMP does not have sequence numbers or TCP flags so there is nothing for it to keep track of in that respect. So just like the non-standard TCP code an extra bit of code has been written for ICMP. Note that this is new to the v7.x versions of code. Version 6.x of pix software did not have this.

If you don't want to use the inspection code for ICMP you can do it the old way ie. with ICMP because it is not stateful you need to allow it both ways through the firewall with access-lists.

Jon

0 Helpful

donnie
Level 1
Level 1
In response to Jon Marshall

‎12-09-2008 07:08 PM

Hi Jon,

Thk you for the clear explanation. I have enable icmp inspection to resolve the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card