Pages

Monday, 14 May 2012

ICMP PING CMD IN FIREWALL & ASDM


Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)
 
Problem
With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside.

OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.
Solution
Cisco ASA and Cisco PIX (version 7 and above) From CLI
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.
PetesASA>
PetesASA> 
en
Password: 
********
PetesASA# 
conf t
PetesASA(config)# 
policy-map global_policy
PetesASA(config)# (config-pmap)#
 class inspection_default
PetesASA(config)#
 inspect icmp
PetesASA(config)# 
write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#
Cisco ASA and Cisco PIX (version 7 and above) From ASDM
Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.
Cisco PIX (version 6 and below) From CLI
Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g.
PetesASA>
PetesASA> en
Password:
 ********
PetesASA# show access-group
access-group inbound in interface outside <<This ones called inbound.
If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL.
PetesASA# conf t
PetesASA(config)# access-list inbound permit icmp any any echo-reply 
PetesASA(config)# access-list inbound permit icmp any any time-exceeded 
PetesASA(config)# 
access-list inbound permit icmp any any unreachable
PetesASA(config)# 
access-list inbound permit icmp any any source-quench
If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command.
PetesASA(config)# access-group inbound in interface outside
Lastly save your work with a write mem command.
PetesASA# write mem
Building configuration...
Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7
[OK]
PetesASA#
Cisco PIX (version 6 and below) From PDM
Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash.
Then repeat for time-exceeded, unreachable and source-quench
Stop Interfaces replying to Ping traffic
As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command.
Do the same from ASDM
Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.
Do the same from PDM
Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.

No comments:

Post a Comment