top of page
Search

Tag#3 ICMP over ASA

  • Writer: sukeshtandon
    sukeshtandon
  • Sep 26, 2018
  • 1 min read

In case of stateful TCP traffic, the ASA will automatically allow return traffic that is initiated from inside. ICMP traffic do not themselves contain any connection information such as sequence numbers and port numbers. They do however contain source and destination IP addresses. How ICMP stateful inspection is done by the firewall?

The “inspect icmp” will dynamically allow the corresponding echo-reply, time-exceeded, destination unreachable, and timestamp reply to pass through the outside interface (if the ping was initiated from inside) without needing to have access-list to allow


There is no response tracked on the inside interface of the ASA. What about the outside interface ?


Outside Interface

----------------------




There are two ways to allow ICMP - ACL and policy map (policy map is a preferred option always)

policy-map global_policy
   class inspection_default
   inspect icmp

After the changes are made






But how exactly does it happen with telnet . Lets take a look.




 
 
 

Recent Posts

See All
BGP main loop prevention mechanism

The only usable metric do prevent loops in bgp is the as-path attribute. No EBGP peering neighbors do accepct an update which includes...

 
 
 

Comments

bottom of page