Recently I’ve discovered that there is, well, fairly limited information online around this point. In this short article we will explain how ICMP inspect, whether disabled or enabled, affects the connection table.
What is ICMP Inspect?
“The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the adaptive security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct
When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.”
ciscoasa(config-cmap)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect icmp
Enabled
When ICMP inspection enabled, for a single ICMP ping, a single connection is created within the connection table. The connection is torn down once the ICMP request and reply have been seen. In other words the request and reply traverse the ASA via the same connection.
Due to the speed that the ICMP connection is built and torn down, it is highly likely that you will be able to see the connection by running show connection
Mar 15 2012 11:22:38: %ASA-7-609001: Built local-host outside:10.1.1.100 Mar 15 2012 11:22:38: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756 Mar 15 2012 11:22:38: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.1.100/0 gaddr 131.1.11.81/48756 laddr 172.16.12.44/48756 Mar 15 2012 11:22:38: %ASA-7-609002: Teardown local-host outside:10.1.1.100 duration 0:00:00
Disabled
When ICMP inspection is not enabled 2 separate connections are created for each ICMP transaction. One connection by the ICMP echo request and another by the ICMP echo reply. The connection will be torn down once the ICMP timeout has been reached. By default the ICMP connection timeout is 2 seconds.
ciscoasa# show conn ... ICMP outside 10.1.1.100:0 inside 172.16.12.44:46452, idle 0:00:00, bytes 168, flags ICMP outside 10.1.1.100:0 inside 172.16.12.44:46452, idle 0:00:00, bytes 224, flags
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial