cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
42344
Views
10
Helpful
4
Replies

Why enable ICMP inspection will allow ICMP traffic to pass ASA ?

cooperchien
Level 1
Level 1

I have ASA 5510. I know by default ASA does not allow ICMP echo to pass through ASA so the host behind my ASA will not get echo replies.

I used to think that I must create access list to enable the ICMP packets to pass through ASA. Then I found that I can also create a service policy to enable ICMP inspectiom to achieve the same goal.

But why? How does applicaiton inspection on ICMP "make" ASA allow ICMP to pass without any access list configured?

1 Accepted Solution

Accepted Solutions

uber_cookie
Level 1
Level 1

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the  inside host that originates the ICMP packet. Dynamic Access Control  Lists (ACLs) are created for return ICMP packets of the allowed types  (echo-reply, time-exceeded, destination unreachable, and timestamp  reply) for each session.  There are no port numbers associated  with an  ICMP session, and the permitted IP address of the return packet is  wild-carded in the ACL.  The wild-card address is because the IP address  of the return packet cannot be known in advance for time-exceeded and  destination-unreachable replies.  These replies can come from  intermediate devices rather than the intended destination.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.

http://www.ssimail.com/Stateful.htm

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

You will have to configure access-list to pass through the ICMP ECHO if you already have access-list applied to your interfaces, however, with the "inspect icmp", it will dynamically allow the corresponding ICMP ECHO Reply to pass through without needing to have access-list to allow the ECHO Reply.

Here is more information on ICMP inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986

Hope that helps.

uber_cookie
Level 1
Level 1

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the  inside host that originates the ICMP packet. Dynamic Access Control  Lists (ACLs) are created for return ICMP packets of the allowed types  (echo-reply, time-exceeded, destination unreachable, and timestamp  reply) for each session.  There are no port numbers associated  with an  ICMP session, and the permitted IP address of the return packet is  wild-carded in the ACL.  The wild-card address is because the IP address  of the return packet cannot be known in advance for time-exceeded and  destination-unreachable replies.  These replies can come from  intermediate devices rather than the intended destination.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftfwicmp.html

UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair. UDP also contains port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build "virtual connections" in the cache. For instance, a cache entry will be created by any UDP packet which originates on the LAN. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN which have matching IP and UDP information will be allowed back in through the firewall.

http://www.ssimail.com/Stateful.htm

Is it true that by default ASA has inpsection engine configured not to allow ICMP echo to pass through. Then I when I enable stateful inspection on ICMP, the inspection engine will start to allow all ICMP types such as echo to pass through ASA?

I am thinking that it is inspection engine that blocks the ICMP packet because I do not see any new access list created after I enable or disable ICMP inspection.

I used to think that enabling stateful inspection of ICMP and allowing ICMP to pass through firewall are two different things. Is it by design Cisco thinks that if you enable stateful inspection on ICMP, it is safe to allow ICMP to pass through ASA?

No, not echo, it will allow the respective echo-reply back in if icmp inspection is enabled.

For echo, you still need to allow that through in your access-list as echo will be the first connection through the firewall.

And it would be best if you enable icmp inspection because the firewall will check that only the legitimate reply gets through. With access-list, it will pretty much allow any replies to come through.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: