Cisco ASA – ICMP Inspect and the Connection Table

Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table.

What is ICMP Inspect?

“The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct

When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.”

ciscoasa(config-cmap)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp

Enabled

When ICMP inspection enabled, for a single ICMP ping, a single connection is created within the connection table. The connection is torn down once the ICMP request and reply have been seen. In other words the request and reply traverse the ASA via the same connection.
Due to the speed that the ICMP connection is built and torn down, it is highly likely that you will be able to see the connection by running show connection

Mar 15 2012 11:22:38: %ASA-7-609001: Built local-host outside:10.1.1.100
Mar 15 2012 11:22:38: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756
Mar 15 2012 11:22:38: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756
Mar 15 2012 11:22:38: %ASA-7-609002: Teardown local-host outside:10.1.1.100 duration 0:00:00

Disabled

When ICMP inspection is not enabled 2 separate connections are created for each ICMP transaction. One connection by the ICMP echo request and another by the ICMP echo reply. The connection will be torn down once the ICMP timeout has been reached. By default the ICMP connection timeout is 2 seconds.

ciscoasa# show conn
...
ICMP outside 10.1.1.100:0 inside  172.16.12.44:46452, idle 0:00:00, bytes 168, flags  
ICMP outside 10.1.1.100:0 inside  172.16.12.44:46452, idle 0:00:00, bytes 224, flags

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial