ICMP packets are not stateful, how does the ASA handle them by default?
Internet Control Message Protocol (ICMP) pings and traceroute on the PIX Firewall are handled differently based on the version of PIX and ASA code.
Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.
Pings initiated from the internet?
Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of a combination of a static nat statement and an access-list.
How do you allow ICMP response packets from the internet?
When you ping a host on the internet, although your access-list on the inside interface may allow ICMP, since ICMP is stateless you need to explicitly allow ICMP replies to enter your firewall on it’s return route.
Option 1 – Using access-list
The first option is to setup a specific rule for each type of echo message. This will allow any response type ICMP messages to enter the outside interface.
For example first define an access-list with the types of ICMP replies, then apply it to the outside interface.
access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-group 101 in interface outside
This only allows icmp return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.
Option 2 – The better option – use ICMP inspection
This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.
policy-map global_policy class inspection_default inspect icmp
For more detailed info visit: here
How to configure ICMP inspection on ASDM
- Select Configuration
- Service Policy Rules
- On the right side under Global-Policy select “inspection_default”
- Click edit to edit the service policy rule
- Select Rule Actions
- Click Protocol Inspection
- Check “ICMP” and “ICMP Error” and hit OK