How to allow ICMP through your Cisco ASA/PIX firewall

ICMP packets are not stateful, how does the ASA handle them by default?

Internet Control Message Protocol (ICMP) pings and traceroute on the PIX Firewall are handled differently based on the version of PIX and ASA code.

Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.

Pings initiated from the internet?

Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of a combination of a static nat statement and an access-list.

How do you allow ICMP response packets from the internet?

When you ping a host on the internet, although your access-list on the inside interface may allow ICMP, since ICMP is stateless you need to explicitly allow ICMP replies to enter your firewall on it’s return route.

Option 1 – Using access-list

The first option is to setup a specific rule for each type of echo message. This will allow any response type ICMP messages to enter the outside interface.

For example first define an access-list with the types of ICMP replies, then apply it to the outside interface.

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

This only allows icmp return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Option 2 – The better option – use ICMP inspection

This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

policy-map global_policy
class inspection_default
inspect icmp

For more detailed info visit: here

How to configure ICMP inspection on ASDM

  1. Select Configuration
  2. Service Policy Rules
  3. On the right side under Global-Policy select “inspection_default”
  4. Click edit to edit the service policy ruleinspect_icmp_1
  5. Select Rule Actions
  6. Click Protocol Inspection
  7. Check “ICMP” and “ICMP Error” and hit OKinspect_icmp_2
Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV