Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)
| ||
Problem | ||
With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside. OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client. | ||
Solution | ||
Cisco ASA and Cisco PIX (version 7 and above) From CLI
Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.
| ||
PetesASA> PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# policy-map global_policy PetesASA(config)# (config-pmap)# class inspection_default PetesASA(config)# inspect icmp PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425
8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK] PetesASA(config)# | ||
Cisco ASA and Cisco PIX (version 7 and above) From ASDM Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash. | ||
Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g. | ||
PetesASA> PetesASA> en Password: ******** PetesASA# show access-groupaccess-group inbound in interface outside <<This ones called inbound. | ||
If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL. | ||
PetesASA# conf t PetesASA(config)# access-list inbound permit icmp any any echo-reply PetesASA(config)# access-list inbound permit icmp any any time-exceeded PetesASA(config)# access-list inbound permit icmp any any unreachable PetesASA(config)# access-list inbound permit icmp any any source-quench | ||
If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command. | ||
PetesASA(config)# access-group inbound in interface outside | ||
Lastly save your work with a write mem command. | ||
PetesASA# write mem Building configuration... Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7 [OK] PetesASA# | ||
Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash.
Then repeat for time-exceeded, unreachable and source-quench
| ||
Stop Interfaces replying to Ping traffic As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command. Do the same from ASDM Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash.
Do the same from PDM
Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.
|
Monday, 14 May 2012
ICMP PING CMD IN FIREWALL & ASDM
Labels:
CISCO ASA
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment