{"id":463,"date":"2018-04-17T16:11:00","date_gmt":"2018-04-17T16:11:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=463"},"modified":"2024-11-17T17:29:28","modified_gmt":"2024-11-17T17:29:28","slug":"icmp-inspection-on-the-asa","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/icmp-inspection-on-the-asa\/","title":{"rendered":"ICMP Inspection on the ASA"},"content":{"rendered":"<p>This is a very common question that comes up when engineers are deploying a new ASA in an environment,\u00a0<strong>\u201cwhy can\u2019t I ping outbound from the inside network?\u201d<\/strong>\u00a0although this is something all experienced engineers may already know, I think it\u2019s time to demonstrate this for people that do not know and would like to understand this behaviour.<\/p>\n<p>By default, the ASA inspects TCP UDP traffic therefore the reply traffic is able to come back as part of its state full filtering (remembering) feature, however the ASA out of the box will not inspect ICMP traffic. To allow ping to work outbound we need to enable inspection for ICMP, this can be done by simply editing the default global policy and specifying that we want to inspect ICMP traffic.<\/p>\n<p><strong>Example<\/strong><\/p>\n<p>The basic topology below has been setup in GNS3. In the steps below we will take a look at the default behaviour, and how to configure ICMP inspection both via the GUI and CLI.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"818\" height=\"448\" class=\"wp-image-464\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-1.png\" \/><br \/>\nAssuming the topology is functioning and has the basics (Inside\/Outside Zones\/NAT) in place and the inside hosts are able to get out, if we ping from the inside network, outbound, the ping should not be successful.<\/p>\n<p><strong>Let\u2019s take a look at this:<\/strong><\/p>\n<p><strong>Step 1:<\/strong>\u00a0On the ASA setup debugging so that when we test ping we can see what the firewall is doing.<\/p>\n<p>#debug icmp trace<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"713\" height=\"44\" class=\"wp-image-465\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-2.png\" \/><\/p>\n<p><strong>Step 2:<\/strong>\u00a0From PC 1 ping 8.8.8.8, this should fail.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"926\" height=\"175\" class=\"wp-image-466\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-3.png\" \/><\/p>\n<p><strong>Step 3:<\/strong>\u00a0On the ASA lets take a look at the output.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"867\" height=\"122\" class=\"wp-image-467\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-4.png\" \/><\/p>\n<p>From the output above, we can see that the ICMP\u00a0\u201cecho request\u201d\u00a0is going through the\u00a0\u201cInside\u201d\u00a0interface and out the\u00a0\u201cOutside\u201d\u00a0interface at which point NAT is doing its job and translating the source IP address. However, we cannot see any\u00a0\u201cecho reply\u201d<\/p>\n<p>As the ICMP traffic leaving the firewall is not inspected, the firewall will not remember the route the return traffic needs to take in order to get back to the host. Also the firewall will see the return traffic as coming inbound on the outside interface solo from 8.8.8.8 and as there are no ACLs in place to allow this traffic the firewall drops it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1258\" height=\"119\" class=\"wp-image-468\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-5.png\" \/><\/p>\n<p><strong>Let\u2019s enable ICMP inspection,<\/strong><\/p>\n<p><strong>GUI example using ASDM:<\/strong><\/p>\n<p><strong>Step 4:<\/strong>\u00a0Click on the\u00a0\u201cConfiguration-Firewall-Service Policy Rules\u201d\u00a0select the default policy and click\u00a0\u201cEdit\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1109\" height=\"705\" class=\"wp-image-469\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-6.png\" \/><\/p>\n<p><strong>Step 5:<\/strong>\u00a0Click on the\u00a0\u201cRule Actions\u201d\u00a0tab and tick\u00a0\u201cICMP\u201d, click\u00a0\u201cOK\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"671\" height=\"664\" class=\"wp-image-470\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-7.png\" \/><\/p>\n<p><strong>Step 6:<\/strong>\u00a0Click\u00a0\u201cApply\u201d\u00a0to send the configuration to the ASA<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"259\" class=\"wp-image-471\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-8.png\" \/><\/p>\n<p><strong>Step 7:<\/strong>\u00a0From the PC ping outbound to 8.8.8.8, as we can see this time round the ping is successful.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"764\" height=\"202\" class=\"wp-image-472\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-9.png\" \/><\/p>\n<p><strong>Step 8:<\/strong>\u00a0Looking at the debug messages, we can now see\u00a0\u201cecho request\u201d\u00a0leaving the ASA and\u00a0\u201cecho reply\u201d\u00a0coming back into the ASA. this time round the ASA inspects the ICMP traffic leaving the firewall therefore it is able to allow the return traffic dynamically due to state full filtering.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"221\" class=\"wp-image-473\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-10.png\" \/><\/p>\n<p>If we dig a bit deeper by doing a capture for ICMP traffic in real-time on the outside interface, we should see more detail. Setup the capture and ping 8.8.8.8 from the PC once again.<\/p>\n<p>#capture icmp interface outside real-time match icmp any<\/p>\n<p>We can see the forward traffic\u00a0(in blue)\u00a0translating, and then the return traffic\u00a0(in green)\u00a0un-translating. This is the ASA inspecting the traffic and remembering.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"578\" class=\"wp-image-474\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-11.png\" \/><\/p>\n<p><strong>CLI example:<\/strong><\/p>\n<p><strong>Step 1:<\/strong>\u00a0to configure ICMP inspection via CLI, we simply amend the default policy to inspect ICMP using the following commands:<\/p>\n<p>#conf t<\/p>\n<p>#policy-map global_policy<\/p>\n<p>#class inspection_default<\/p>\n<p>#inspect icmp<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"852\" height=\"70\" class=\"wp-image-475\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-463-12.png\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is a very common question that comes up when engineers are deploying a new ASA in an environment,\u00a0\u201cwhy can\u2019t I ping outbound from the<\/p>\n","protected":false},"author":1,"featured_media":476,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,6],"tags":[56,55,57,58],"class_list":["post-463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco-firewall","category-security","tag-asa","tag-cisco","tag-cisco-asa","tag-icmp"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=463"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/463\/revisions"}],"predecessor-version":[{"id":477,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/463\/revisions\/477"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/476"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}