Anyone can explain "icmp permit any unreachable inside" in ASA ?

Hi Anyone can explain "icmp permit any unreachable outside" in ASA ?  And difference between "icmp permit any echo inside" and "icmp permit any echo-reply inside" Thank you
eemoonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
These are just permit statements for different kinds of ICMP messages that are destined for the ASA itself. Anything going through the ASA is handled by normal ACLs.

"icmp permit any unreachable outside" instructs the ASA to send messages back to external sources when a port isn't open. Turning this off causes the ASA to drop packets to invalid ports with no message to the source.

"icmp permit any echo inside" instructs the ASA to allow inside hosts to ping its IP addresses.

"icmp permit any echo-reply inside" instructs the ASA to allow replies to pings originating from the ASA and destined to the inside security zone.
eemoonAuthor Commented:
Thank you so much for your fast reply.

when a port isn't open.
ping has port number ?

After I use "icmp permit any unreachable outside/inside" and "icmp permit any echo-reply inside", PC user cannot ping the ASA again. Do you think this is right ?
Jody LemoineNetwork ArchitectCommented:
Ping doesn't have a port number, but ICMP is more than ping. When someone tries to connect to an invalid port with TCP or UDP, the ASA sends an ICMP unreachable to inform the client that the port is to open... unless unreachables are disabled.

The user being able to ping the ASA after those two commands makes no sense. If "permit ICMP any echo inside" is enabled, they should be able to ping. Not so if it is disabled.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

eemoonAuthor Commented:
Yes, when using echo, echo-reply and unreachable together, the user can ping the ASA. If using echo-reply and unreachable, respectively, the user cannot ping

When someone tries to connect to an invalid port with TCP or UDP, the ASA sends an ICMP unreachable to inform the client that the port is to open... unless unreachables are disabled.

Can we say "When someone using telnet or ssh etc tries to connect to an invalid port with TCP or UDP, the ASA sends an ICMP unreachable to inform the client that the port is to open... unless unreachables are disabled" ?
Jody LemoineNetwork ArchitectCommented:
The echo setting needs to be enabled for the user to ping. Because the ASA is receiving an echo packet, that's what needs to be permitted.  

You could say telnet or ssh, but it really applies to any TCP or UDP traffic. So if the default ASDM port or webvpn port were changed and a user pointed a web browser at the original port, the unreachable setting would change the response for this as well.
eemoonAuthor Commented:
"icmp permit any unreachable outside" instructs the ASA to send messages back to external sources when a port isn't open

send messages back: what massage it will be sent back ?  Is it "unreachable" in command line ? If it is ASDM or webvpn, what kind massage will be sent back ? Thank you
Jody LemoineNetwork ArchitectCommented:
ICMP unreachables are processed by the TCP/IP stack itself and sent to the application as error conditions, so the unreachable never actually appears within the application itself. In this case, if the application receives an unreachable message, it will immediately stop attempting to connect and present an error. If the unreachable messages are disabled at the ASA, no message will come back and the application will just wait until its request times out.

A good explanation of ICMP unreachables (and ICMP as a whole) can be found here.

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Destination_unreachable

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eemoonAuthor Commented:
Excellent, Thank you !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.