Why enable ICMP inspection will allow ICMP traffic to pass ASA ?

Unanswered Question
Feb 22nd, 2011

I have ASA 5510. I know by default ASA does not allow ICMP echo to pass through ASA so the host behind my ASA will not get echo replies.

I used to think that I must create access list to enable the ICMP packets to pass through ASA. Then I found that I can also create a service policy to enable ICMP inspectiom to achieve the same goal.

But why? How does applicaiton inspection on ICMP "make" ASA allow ICMP to pass without any access list configured?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jennifer Halim Tue, 02/22/2011 - 23:28

You will have to configure access-list to pass through the ICMP ECHO if you already have access-list applied to your interfaces, however, with the "inspect icmp", it will dynamically allow the corresponding ICMP ECHO Reply to pass through without needing to have access-list to allow the ECHO Reply.

Here is more information on ICMP inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986

Hope that helps.

uber_cookie Tue, 02/22/2011 - 23:47

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the  inside host that originates the ICMP packet. Dynamic Access Control  Lists (ACLs) are created for return ICMP packets of the allowed types  (echo-reply, time-exceeded, destination unreachable, and timestamp  reply) for each session.  There are no port numbers associated  with an  ICMP session, and the permitted IP address of the return packet is  wild-carded in the ACL.  The wild-card address is because the IP address  of the return packet cannot be known in advance for time-exceeded and  destination-unreachable replies.  These replies can come from  intermediate devices rather than the intended destination.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.

http://www.ssimail.com/Stateful.htm

cooperchien Wed, 02/23/2011 - 11:18

Is it true that by default ASA has inpsection engine configured not to allow ICMP echo to pass through. Then I when I enable stateful inspection on ICMP, the inspection engine will start to allow all ICMP types such as echo to pass through ASA?

I am thinking that it is inspection engine that blocks the ICMP packet because I do not see any new access list created after I enable or disable ICMP inspection.

I used to think that enabling stateful inspection of ICMP and allowing ICMP to pass through firewall are two different things. Is it by design Cisco thinks that if you enable stateful inspection on ICMP, it is safe to allow ICMP to pass through ASA?

Jennifer Halim Wed, 02/23/2011 - 16:55

No, not echo, it will allow the respective echo-reply back in if icmp inspection is enabled.

For echo, you still need to allow that through in your access-list as echo will be the first connection through the firewall.

And it would be best if you enable icmp inspection because the firewall will check that only the legitimate reply gets through. With access-list, it will pretty much allow any replies to come through.

Actions

Login or Register to take actions

This Discussion

Posted February 22, 2011 at 11:07 PM
Stats:
Replies:4 Avg. Rating:5
Views:10233 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446