fir3net

Cisco ASA - ICMP Inpsect and the Connection Table

Recently I've discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table.

What is ICMP Inspect?

"The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct

When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request." [1]

ciscoasa(config-cmap)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp

Enabled

When ICMP inspection enabled, for a single ICMP ping, a single connection is created within the connection table. The connection is torn down once the ICMP request and reply have been seen. In other words the request and reply traverse the ASA via the same connection.
Due to the speed that the ICMP connection is built and torn down, it is highly likely that you will be able to see the connection by running show connection

Mar 15 2012 11:22:38: %ASA-7-609001: Built local-host outside:10.1.1.100
Mar 15 2012 11:22:38: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756
Mar 15 2012 11:22:38: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756
Mar 15 2012 11:22:38: %ASA-7-609002: Teardown local-host outside:10.1.1.100 duration 0:00:00

Disabled

When ICMP inspection is not enabled 2 separate connections are created for each ICMP transaction. One connection by the ICMP echo request and another by the ICMP echo reply. The connection will be torn down once the ICMP timeout has been reached. By default the ICMP connection timeout is 2 seconds.

ciscoasa# show conn
...
ICMP outside 10.1.1.100:0 inside  172.16.12.44:46452, idle 0:00:00, bytes 168, flags  
ICMP outside 10.1.1.100:0 inside  172.16.12.44:46452, idle 0:00:00, bytes 224, flags

References

[1] http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html

Tags: ASA, Cisco, Firewall, ICMP

About the Author

RDonato

R Donato

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001