Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ICMP Inspection Not Working

Hi Folks,

I've recently deployed a Cisco 5510 Security Plus (8.2.1) to a small company; I've the basics working, but just need to close off some further configurations.  I have a couple of issues, but thought I'd start off with the most basic.

I'm trying to ping from INSIDE (from 10.84.x.x hosts, which are routed via separate router @ 10.84.0.1/192.16.84.10 to the Cisco ASA @ 192.16.84.1) to any machine on the OUTSIDE.

I have ICMP enabled in the default inspection map, however pings are still timing out, and I'm seeing the following in the logging (when pinging news.bbc.co.uk from my own desktop):

4Nov 17 201010:25:5010602310.84.6.37212.58.246.80Deny icmp src inside:10.84.6.37 dst outside:212.58.246.80 (type 8, code 0) by access-group "int_transit_access_in" [0x0, 0x0]

So the ASA is dropping the traffic due to that ACL, despite the fact there's a default ICMP inspection in play.  Is there any reason why the ACL may override the inspection?  If it makes any difference, dynamic NAT in play between the internal 10.84.x.x subnet and the external interface.

I've attached a sanitised copy of my running config.  Apologies if it is difficult to read, or if I haven't provided enough information here; I'm fairly new to Cisco and the running configuration is very much a work in progress.

Many thanks,

Alistair

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ICMP Inspection Not Working

ACL which is assigned to an interface comes first before the default icmp inspection.

ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.

You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.

Hope that makes sense.

Cisco Employee

Re: ICMP Inspection Not Working

No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.

Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.

Here is more information on icmp inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439

Just taking FTP inspection in more details:

When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.

Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.

4 REPLIES
Cisco Employee

Re: ICMP Inspection Not Working

ACL which is assigned to an interface comes first before the default icmp inspection.

ICMP inspection provides deep packet inspection on ICMP packet to create the necessary xlate/translation, however, all interface access-list will be checked first for all traffic.

You would need to configure your "int_transit_access_in" ACL to allow the ICMP traffic through.

Hope that makes sense.

New Member

Re: ICMP Inspection Not Working

Hi Jennifer,

Thanks for the quick response, much appreciated.

I'm not sure I totally understand this, surely all ASA's will require some sort of ACLs to filter traffic, and therefore ICMP inspection will always be overridden by the ACLs therefore rending inspection useless in the majority of cases?

Or perhaps I misunderstand inspections in general; I thought they should bypass the need for ACLs, but are they actually purely used to allow translations, despite the fact I have a dynamic NAT implemented which I thought would handle it.  Strangely, if I disable the ICMP inspection and instead create 'any icmp' rules in the ACLs, pings do begin to work...

Sorry for the confusion!

Alistair

Cisco Employee

Re: ICMP Inspection Not Working

No, inspection provides more deep packet inspection and ACL applied on the interface provides first level of filtering.

Whether you have inspection turn on or off for ICMP, you still need to allow the traffic through if you have ACL applied to your ASA interface.

Here is more information on icmp inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1720439

Just taking FTP inspection in more details:

When you enable FTP inspection, ASA will check the FTP Control connection, and dynamically open a pinhole for the FTP Data connection as we know that FTP Control and Data is on different ports.

Same with the rest of the other inspection where it provides deep packet inspection according to the application specific feature.

New Member

Re: ICMP Inspection Not Working

Excellent, thanks for this Jennifer - makes sense!

Alistair

1146
Views
0
Helpful
4
Replies
CreatePlease login to create content