which way is better to protect "icmp" using icmp inspect vs access lists

Posted on 2011-04-27
Medium Priority
Last Modified: 2012-05-11
In some of our ASA config's we are allowing yet protecting ourselves from the misuse of ICMP but putting the following access lists on our ASA's

access-list outside-in permit icmp any any time-exceeded                  
access-list outside-in permit icmp any any echo-reply                  
access-list outside-in permit icmp any any unreachable                  
access-list outside-in permit icmp any any source-quench                   
access-list outside-in deny icmp any host < FW outside address > 

I have been asked the question:

Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.


I am fairly new to the ASA's so I would appreciae your help to understand the different and the best way to secure ICMP.

We want to allow outbound ICMP requests both through the ASA out to the internet and also allow ICMP requests made on the ASA out to the internet.

I'd appreciate your input and help understanding the difference.

Question by:mhagen4808
LVL 57

Expert Comment

by:Pete Long
ID: 35482170
>>Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.

Yes it is better - and the overhead is tiny :)

Remove those lines and add icmp inspection

Cisco Firewalls and PING


Expert Comment

ID: 35488734
its better to inspect, but also inspecting any type of traffic defeats using the acl entries as incoming traffic is first checked against existing "sessions", before acl checking. so you should find that removing the acl permit icmp entries and adding icmp inspect, if you dont have it already, will provide the same result for inside -> internet icmp traffic.

for icmp traffic to/from the firewall itself, you need to look at the icmp command.

Another Pete!

Author Comment

ID: 35488750
I wouldn't be offended if you would help me out with your statement:

for icmp traffic to/from the firewall itself, you need to look at the icmp command.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Accepted Solution

pgolding00 earned 1000 total points
ID: 35488911
inspection is performed for traffic that passes through the firewall, such as from inside client to the internet or to a dmz, or from internet to inside server or dmz server. this is for all types of traffic - tcp, udp, icmp etc. udp and icmp are handled as if they were stateful in the way tcp is, ie entries are created in the translate table and they are timed out if no response is seen. as an example, in the case of dns, when a response is seen, the udp translation is then removed from the translate table, when an echo reply is seen in response to an echo request (ping), the translate is removed.

but, for traffic initiated by or terminating at the firewall, the normal inspection process is not followed. eg, if you ping an address from the firewall console, the icmp packet does not pass through the inspection code. you mentioned ...
"also allow ICMP requests made on the ASA out to the internet."
for this type of traffic to be allowed, in the case of icmp, you need to configure icmp permit entries. if you dont do so, the firewall will block icmp replies at the interface, and then appear to be unable to ping any address.

hope that makes sense now?

Author Comment

ID: 36563606
Yes, sorry for not getting back to you.
This question can be closed.
LVL 35

Expert Comment

by:Ernie Beek
ID: 37049276
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question