Help with Application Inspection on ASA

fedecotofaja · ‎05-29-2009

Hi All,

I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN.

I enter the following commands on the ASA:

access-list 105 extended deny icmp any any

class-map ICMP

match access-list 105

policy-map ICMP

class ICMP

service-policy ICMP interface INSIDE

I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.

Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS?

Thank you!

Federico.

Kureli Sankar · ‎05-29-2009

Those command are not doing anything.

You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp.

The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.

example:

access-list inside-acl deny icmp any any

access-list inside-acl permit ip any any

access-group inside-acl in int inside

I hope this helps.

fedecotofaja · ‎05-30-2009

Great Thank you!

What if I want to permit ICMP PING packets but only of certain size?

Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?

Thank you!

Kureli Sankar · ‎06-01-2009

Presently I do not see a way to achieve this in the ASA/PIX or FWSM platform.

You can however do this for dns inspection.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130