Wednesday, February 20, 2013

Cisco ASA and ICMP Configurations

As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.

Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.

access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
 ************************************************
Then apply the access-list to the outside interface.

access-group OUTSIDE_IN_ACL in interface outside
 *****************************************
 
This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.

access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
 ***************************************************
 
Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.


access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
 *****************************************
 
Now all we need to do is allow echo into the network.
access-list OUTSIDE_IN_ACL permit icmp any any echo
 ********************************************
 
Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.

static (dmz,outside) PUBLIC_IP DMZ_IP netmask 255.255.255.255
*****************************************************
Of course, you will need to have a static mapping for every server you want to have reachable from the internet.

Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called
global_policy.
global_policy:

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
 **************************
To add icmp inspection.

FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
******************************

No comments:

Post a Comment