Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

query on icmp

HI all. My office is using asa 5510 and 3 interfaces namely ext, int and dmz are used. My int interface has higher security than dmz. I have enabled the accesslist to allow int ip subnet to be able to access dmz on icmp. However when i try a pc in int lan and ping to a pc in dmz lan, ping fails. I expect ping to work since asa 5510 is stateful. Do i need to add inspect icmp? Thks in advance.

4 REPLIES
Hall of Fame Super Blue

Re: query on icmp

" Do i need to add inspect icmp?"

Yes, or allow ICMP back in with an access-list applied inbound to the DMZ interface.

Jon

New Member

Re: query on icmp

Hi Jon,

Thank you for your reply.

But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance.

Hall of Fame Super Blue

Re: query on icmp

"But why do i have to do this for icmp traffic compare to other tcp traffic? Thks in advance"

Do you mean

1) allow it back in with an access-list

OR

2) enable icmp inspection

With a standard TCP connection a stateful firewall uses the TCP Flags + sequence numbers to keep track of state.

Now some TCP applications are not standard - FTP being a good example. So extra bits of code are added to the firewall to cope with these non-standard applications. Without these extra bits of code the normal stateful code of the a firewall would not be able to adequately secure these applications. These extra bits of code used to be called fixups and are now called inspections.

But ICMP does not have sequence numbers or TCP flags so there is nothing for it to keep track of in that respect. So just like the non-standard TCP code an extra bit of code has been written for ICMP. Note that this is new to the v7.x versions of code. Version 6.x of pix software did not have this.

If you don't want to use the inspection code for ICMP you can do it the old way ie. with ICMP because it is not stateful you need to allow it both ways through the firewall with access-lists.

Jon

New Member

Re: query on icmp

Hi Jon,

Thk you for the clear explanation. I have enable icmp inspection to resolve the problem.

273
Views
0
Helpful
4
Replies