This document describes the proper procedure for applying ICMP Inspection in ASA.
On ASA, ICMP Inspection treats the target packets as ICMP packets and inspects them regardless of the actual protocol.Therefore, as indicated below, when traffic other than the ICMP protocol is set as the ICMP Inspection target, their packets will be mistakenly dropped.
class-map ANY match any policy-map global_policy class ANY inspect icmp
For example, the following is the Syslog output when Telnet traffic is mistakenly dropped due to the above settings.
%ASA-4-313004: Denied ICMP type=0, from laddr 192.168.1.1 on interface inside to 192.168.2.1: no matching session %ASA-6-302014: Teardown TCP connection 24 for outside:192.168.2.1/23 to inside:192.168.1.1/34573 duration 0:00:00 bytes 0 Flow closed by inspection
The proper procedure for applying ICMP Inspection in ASA is either of the following.
Setting example 1) Apply to the default class inspection_default.
policy-map global_policy class inspection_default inspect icmp
Setting example 2) Use ACL to enable only for ICMP traffic.
access-list ICMP extended permit icmp any any ! class-map ICMP match access-list ICMP ! policy-map global_policy class ICMP inspect icmp
Original Document: Cisco Support Community Japan DOC-12095