Cisco ASA – ICMP Inspect and the Connection Table

Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table.

What is ICMP Inspect?

“The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct

When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.”

ciscoasa(config-cmap)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp


When ICMP inspection enabled, for a single ICMP ping, a single connection is created within the connection table. The connection is torn down once the ICMP request and reply have been seen. In other words the request and reply traverse the ASA via the same connection.
Due to the speed that the ICMP connection is built and torn down, it is highly likely that you will be able to see the connection by running show connection

Mar 15 2012 11:22:38: %ASA-7-609001: Built local-host outside:
Mar 15 2012 11:22:38: %ASA-6-302020: Built outbound ICMP connection for faddr gaddr laddr
Mar 15 2012 11:22:38: %ASA-6-302021: Teardown ICMP connection for faddr gaddr laddr
Mar 15 2012 11:22:38: %ASA-7-609002: Teardown local-host outside: duration 0:00:00


When ICMP inspection is not enabled 2 separate connections are created for each ICMP transaction. One connection by the ICMP echo request and another by the ICMP echo reply. The connection will be torn down once the ICMP timeout has been reached. By default the ICMP connection timeout is 2 seconds.

ciscoasa# show conn
ICMP outside inside, idle 0:00:00, bytes 168, flags  
ICMP outside inside, idle 0:00:00, bytes 224, flags
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial