ASA ICMP/Traceroute

  • Post author:
  • Post category:ASA / Cisco

By default the ASA does permit ICMP replies TO any ASA interface, but does not permit ICMP THROUGH the ASA. In other words you need to specifically configure the ASA to permit the ICMP replies. This can be achieved in 2 ways, either by enabling icmp inspection or by configuring an ACL inbound on the outside interface, permitting echo-reply.

From an LAN switch on the inside of the ASA we ping a device on the outside, with no specific configuration this should fail.

  • Turn on ICMP debug on the ASA by entering the command debug icmp trace

After turning on debug on the ASA and repeating the same ping test, we can see only ICMP echo requests – no replies!

  • Configure logging by entering the commands logging enable and logging console warnings. Be careful enabling this in a production environment

Repeating the same test with logging enabled, we can see %ASA-3-10614: Deny inbound icmp. This is the ICMP reply being denied.

In order to permit an ICMP reply an ACL on the OUTSIDE interface must specifically permit an echo-reply. Remember there is an implicit deny at the end of the ACL so all other traffic will be denied unless explicitly permitted.

access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-group OUTSIDE_IN in interface OUTSIDE

After configuring the ACL on the OUTSIDE interface permitting echo-reply, we see in the debug the ICMP echo reply. You can also determine that NAT is in use (translating the request and untranslating the reply).

Now that ping is working correctly, testing traceroute to the same destination will fail without further configuration.

From the logs on the ASA you can clearly identify which ICMP Types are being denied.

Add additional ACE to the ACL previously configured, to permit ICMP Type 3 (destination unreachable) and 11 (time exceeded).

access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable

Repeating the same traceroute test now clear identifies the IP addresses in the path. Except neither of those hops is the IP address of the ASA itself.

The ASA, as default does not decrement the TTL when tracerouting through the firewall. In order to see the ASA as a hop in the path of a traceroute, the MPF must configured to decrement the TTL.

policy-map global_policy
 class class-default
  set connection decrement-ttl

Repeat the same traceroute test, notice now the inside IP address of the ASA is visible in the output.

Inspect ICMP

Instead of configuring an ACL permitting echo-reply, icmp inspection could be enabled instead, by entering the command fixup protocol icmp. This results in modifying the global-policy as below.

policy-map global_policy
 class inspection_default
  inspect icmp

After enabling ICMP Inspection replies to pings through the ASA should be permitted, however traceroute still requires ICMP Type 3 and 11 defined in an ACL.

 

 

 

 

Tags: , , , ,