which way is better to protect "icmp" using icmp inspect vs access lists

Posted on 2011-04-27
Last Modified: 2012-05-11
In some of our ASA config's we are allowing yet protecting ourselves from the misuse of ICMP but putting the following access lists on our ASA's

access-list outside-in permit icmp any any time-exceeded                  
access-list outside-in permit icmp any any echo-reply                  
access-list outside-in permit icmp any any unreachable                  
access-list outside-in permit icmp any any source-quench                   
access-list outside-in deny icmp any host < FW outside address >

I have been asked the question:

Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.


I am fairly new to the ASA's so I would appreciae your help to understand the different and the best way to secure ICMP.

We want to allow outbound ICMP requests both through the ASA out to the internet and also allow ICMP requests made on the ASA out to the internet.

I'd appreciate your input and help understanding the difference.

Question by:mhagen4808
    LVL 57

    Expert Comment

    by:Pete Long
    >>Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.

    Yes it is better - and the overhead is tiny :)

    Remove those lines and add icmp inspection

    Cisco Firewalls and PING

    LVL 8

    Expert Comment

    its better to inspect, but also inspecting any type of traffic defeats using the acl entries as incoming traffic is first checked against existing "sessions", before acl checking. so you should find that removing the acl permit icmp entries and adding icmp inspect, if you dont have it already, will provide the same result for inside -> internet icmp traffic.

    for icmp traffic to/from the firewall itself, you need to look at the icmp command.

    Another Pete!

    Author Comment

    I wouldn't be offended if you would help me out with your statement:

    for icmp traffic to/from the firewall itself, you need to look at the icmp command.

    LVL 8

    Accepted Solution

    inspection is performed for traffic that passes through the firewall, such as from inside client to the internet or to a dmz, or from internet to inside server or dmz server. this is for all types of traffic - tcp, udp, icmp etc. udp and icmp are handled as if they were stateful in the way tcp is, ie entries are created in the translate table and they are timed out if no response is seen. as an example, in the case of dns, when a response is seen, the udp translation is then removed from the translate table, when an echo reply is seen in response to an echo request (ping), the translate is removed.

    but, for traffic initiated by or terminating at the firewall, the normal inspection process is not followed. eg, if you ping an address from the firewall console, the icmp packet does not pass through the inspection code. you mentioned ...
    "also allow ICMP requests made on the ASA out to the internet."
    for this type of traffic to be allowed, in the case of icmp, you need to configure icmp permit entries. if you dont do so, the firewall will block icmp replies at the interface, and then appear to be unable to ping any address.

    hope that makes sense now?

    Author Comment

    Yes, sorry for not getting back to you.
    This question can be closed.
    LVL 35

    Expert Comment

    by:Ernie Beek
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now