Why does ASA block icmp by default and not other traffic?

Answered Question
Jan 23rd, 2010
User Badges:

Hi,

Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.

On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.


I am not able to understand why?


Thanks in advance.


Regards,

Mohammed Abdulla.

Correct Answer by Jon Marshall about 7 years 6 months ago

reachabdulla wrote:


Hi,

Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.

On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.


I am not able to understand why?


Thanks in advance.


Regards,

Mohammed Abdulla.


Mohammed


Have a quick read of this thread - the bit that explains the basic function of an ASA firewall -


ASA basic function


The difference with ping is it uses ICMP and ICMP is not stateful in the way that TCP/UDP are (UDP is pseudo-stateful). Any protocol that isn't stateful needs it's traffic explicitly allowed back in unlike the http example in the above thread. That's why you have to allow ICMP back in.


However it should be noted that the ASA and pix firewalls with v7.x code  have the ability to do ICMP inspection which if you enable it means you don't need to allow it back in with an acl. Have a read of this link which covers ICMP through the ASA -


ASA ICMP


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 01/23/2010 - 13:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

reachabdulla wrote:


Hi,

Imagine an ASA with a web server on the "outside" and a PC on the "inside". By default, when we ping from "inside" PC to "outside" Server, the traffic is blocked. We need to apply ACL on the outside to permit the icmp.

On the contrary, if we try to access a web page of "outside" Server from "inside" PC, its permitted by default.


I am not able to understand why?


Thanks in advance.


Regards,

Mohammed Abdulla.


Mohammed


Have a quick read of this thread - the bit that explains the basic function of an ASA firewall -


ASA basic function


The difference with ping is it uses ICMP and ICMP is not stateful in the way that TCP/UDP are (UDP is pseudo-stateful). Any protocol that isn't stateful needs it's traffic explicitly allowed back in unlike the http example in the above thread. That's why you have to allow ICMP back in.


However it should be noted that the ASA and pix firewalls with v7.x code  have the ability to do ICMP inspection which if you enable it means you don't need to allow it back in with an acl. Have a read of this link which covers ICMP through the ASA -


ASA ICMP


Jon

Actions

This Discussion