ASA inspection policies

Hi all; 

I changed my ASA to work in "transparent mode". now I can issue telnet from internal to dmz and outside. but after adding ICMP inspection rule, ICMP reply packets don't pass through ASA in return direction. my config is:

 

ciscoasa(config)# sh run

access-list TEST_ACL extended permit icmp 1.1.1.0 255.255.255.0 interface DMZ

!

class-map icmp-class

 match access-list TEST_ACL

!

policy-map ICMP_INSPECTION

 class ICMP_CLASS

  inspect icmp 

!

interface BVI1

 ip address 1.1.1.254 255.255.255.0 

!

firewall transparent

!

service-policy ICMP_INSPECTION interface INTERNAL

 

 

do I miss something?!

Comments

  • Hi Timaz,

    can you explain what you mean by "I can issue telnet from internal to dmz and outside"? Interfaces or hosts behind these interfaces?

     

    Your access list permits icmp from 1.1.1.0/24 to interface DMZ but in transparent mode it doesn't make any sense as this interface doesn't have IP:

    access-list TEST_ACL extended permit icmp 1.1.1.0 255.255.255.0 interface DMZ

    Can you see any hits on this ACL?

    regards

    Hubert

  • timaztimaz ✭✭

    Hi;

     

    what I need is being able to ping from host in the "internal" side toward the hosts behind the "DMZ" and/or "outside" interfaces. as I know, the default inspection policy on ASA just takes TCP and UDP from higher level security to the lower ones; and for ICMP to pass through the ASA we must enable ICMP inspection. I added configs shown above but did not manage to ping. 

  • Hi

    Change the interface nsme to your destination IP.  The interface name is useful when you define policy for traffic to device itself

    Regards

    Hubert

    On May 10, 2015 12:11 PM, "timaz" <[email protected]> wrote:

    Hi;

     

    what I need is being able to ping from host in the "internal" side toward the hosts behind the "DMZ" and/or "outside" interfaces. as I know, the default inspection policy on ASA just takes TCP and UDP from higher level security to the lower ones; and for ICMP to pass through the ASA we must enable ICMP inspection. I added configs shown above but did not manage to ping. 




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi,

    sorry for my typo I sent it from my mobile. I meant: you should modify your ALC and instead of 'interface name' you shoul add your destination IP/subnet

     

    regards

    Hubert

  • You can either inspect ICMP in the global_policy, which will affect all ICMP traffic traversing the firewall, or you can inspect ICMP only for specific traffic by using an ACL. In your case, the problem is that in the ACL you have defined as destination the ASA's interface instead of the real destination of the traffic, which means no ICMP will be inspected anyways as on the ASA you CANNOT traverse it for management/control-plane traffic (like being on the inside you can never ping/telnet/etc the dmz interface of the ASA).

Sign In or Register to comment.