ICMP’s primary functions are error reporting at layer-3, and troubleshooting. In fact, two of the most useful networking tools, ping and traceroute, rely upon it. However, it is tightly bound to the IP stack at layer-3, so it’s no surprise that the ASA firewall treats it differently to other protocols like TCP or UDP.
The ASA can track an ICMP session by inspecting ICMP packets. This results in an ICMP session being tracked, which allows response packets back through.
ACL Evaluation : Please note that ICMP inspection does not bypass all ACLs. An ICMP packet will be allowed through the ASA without an ACL evaluation, only if it is part of an already established session. Like TCP or UDP, the first packet in the ICMP flow must still be evaluated against security policies, and allowed, in order for the flow to be established.
Inspect ICMP : Consider the topology below. R1 and R2 are separated by an ASA with default security configuration. The inside interface has security-level 100, and the outside interface has a security level of 0. All devices have appropriate IP addressing and routes.
With this configuration, consider the traffic flow when R1 tries to ping R2:
* R1 creates an ICMP echo packet, and forwards it to the next-hop, the ASA
* The ASA determines that the inside interface is the ingress, and the outside interface is the egress
* As the inside inderface has a higher security level than the outside, the packet is allowed to pass
* R2 receives the echo packet, and creates an echo-reply, which it sends to the next-hop (the ASA)
* The ASA determines the ingress and egress interfaces
* The packet is trying to travel from a lower security-level interface to a higher one, so the packet is dropped
Now, turn on ICMP inspection :
Enable ICMP Inspection
policy-map global_policy
class inspection_default
inspect icmp​
The process now behaves a little differently :
* R1 creates an ICMP echo packet, and forwards it to the next-hop, the ASA
* The ASA determines that the inside interface is the ingress, and the outside interface is the egress
* As the inside inderface has a higher security level than the outside, the packet is allowed to pass
* The ASA begins to track this ICMP session
* R2 receives the echo packet, and creates an echo-reply, which it sends to its next-hop (the ASA)
* The ASA determines that this is part of an existing session, and allows the echo-reply through
What if R2 tries to ping R1 now? When R2 sends the echo packet to the ASA, the ASA will still drop the packet (due to the security-level configuration), and will not begin to track the session.
If ICMP is required from the outside interface, an ACL needs to be configured to allow it through.
