ASA 5500 and ICMP unreachable

Answered Question
Aug 31st, 2010

Hello,

we are using a ASA 5540 with 3 Interfaces.  Version 8.2(1)

One interface is Inside, one Outside and one interface is the DMZ.

1. Is it possible to configure the ASA, to send icmp unreachable messages, if one Server in the DMZ is down.

At the moment we are having Problems, because of the Timouts. The Programms hang for a llong time.

What do we have to configure?

2.  At many Firewalls it is possible to differentiate between drop and reject. At some ACLs we want the ASA to send back an

"Communication administratively prohibited". Is it possible to configure this?

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Edward Dutra about 6 years 3 months ago

Ahh...

I see now. The firewall will not respond to unreachable hosts with a ICMP unreachable since the firewall is suppose to be invisble. Currently there is no way to enable the firewall to send icmp unreachables. You can make a feature request with your Cisco Account team to see if this is something the firewall team can consider.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edward Dutra Tue, 08/31/2010 - 11:01

Hi Benjamin...

Regarding question one. What exactly is the issue here? Is this a database server where the TCP connection goes idle for along while and the ASA is timing the connection out? Or, is the server actually goes down and you want the ASA to notify you when the server goes down? Please clarify.

Regarding question two. What protocol are you expecting the ASA to send this message? This can be done on HTTP if you are using the Websense or the Trendmicro CSC product which can display a block page to the end user . The ASA is not a proxy for various protocols, so it would not be able to send the message in question.

NetworkKnight Wed, 09/01/2010 - 00:41

Hello Edward,

Thank you for your response. I think my explanation was not very good, so i will explain it a little bit more in detail.

1. For example we have a Server in the DMZ and a client in the Intranet. Now the Client want to connect to the Server. So he sends a TCP Syn to the ASA, the ASA makes an ARP Request, gets an answer from the Server an forwards the Paket. This is the normal behaviour.

If the Server is down. The ASA makes an ARP Request an doesn't get an answer, so the client gets an Timout and waits for a long time and also doesn't get an answer. I would expect the ASA to send an ICMP Host unreachable message back to the Client  after a ARP Timeout . So the Application of the Client immidiatly prints an Error Message.

This is also important for us Administrators. If we Ping a Host in the DMZ we don't get an Answer. Now it could be the Firewall dropping the Paket or the host is down. If we would get an Host unreachable message, we would know that the Server is down and its not the firewall dropping the Paket.

2. This question was similar. For example we have a Host which is only reachable form a special subnet. If a Administrtor want to debug if he can reach this Host, he Pings the Host. He doesn't get an Answer because the Firewall drops it. So now again the Question is, if a Firewall is dropping it or if the Server is down or anything else is going wrong. For some ACLs it would be helpful to configure the ASA to send back an ICMP Unreachable Communication Administratively Prohibited (this could also be any other ICMP ERROR Message, or TCP Reset). So the debugging would be a lot easier.

It would also be good to send these Error Messages only to the intranet and not in the internet.

I hope it is a little bit clearer, what my question is.

Regards,

Benjamin

Correct Answer
Edward Dutra Thu, 09/02/2010 - 16:37

Ahh...

I see now. The firewall will not respond to unreachable hosts with a ICMP unreachable since the firewall is suppose to be invisble. Currently there is no way to enable the firewall to send icmp unreachables. You can make a feature request with your Cisco Account team to see if this is something the firewall team can consider.

Actions

This Discussion

Related Content