Cisco Support Community

Correct application method of ICMP inspection with ASA



This document describes the proper procedure for applying ICMP Inspection in ASA.

Core Issue:


On ASA, ICMP Inspection treats the target packets as ICMP packets and inspects them regardless of the actual protocol.Therefore, as indicated below, when traffic other than the ICMP protocol is set as the ICMP Inspection target, their packets will be mistakenly dropped.

class-map ANY
match any
policy-map global_policy
class ANY
  inspect icmp



For example, the following is the Syslog output when Telnet traffic is mistakenly dropped due to the above settings.


%ASA-4-313004: Denied ICMP type=0, from laddr on  interface inside to no matching session
%ASA-6-302014: Teardown TCP connection 24 for outside:  to inside: duration 0:00:00 bytes 0 Flow closed by  inspection


The proper procedure for applying ICMP Inspection in ASA is either of the following.


Setting example 1)
Apply to the default class inspection_default.


policy-map global_policy
  class inspection_default
    inspect icmp

Setting example 2)
Use ACL to enable only for ICMP traffic.


access-list ICMP extended permit icmp any any
class-map ICMP
  match access-list ICMP
policy-map global_policy
  class ICMP
    inspect icmp


Related Information

Original Document: Cisco Support Community Japan DOC-12095

Author: Zhao Qin

Posted on July 15, 2010