13-21
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
ICMP Inspection
ICMP Inspection
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and
UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through
the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP
inspection engine ensures that there is only one response for each request, and that the sequence number
is correct.
However, ICMP traffic directed to an ASA interface is never inspected, even if you enable ICMP
inspection. Thus, a ping (echo request) to an interface can fail under specific circumstances, such as
when the echo request comes from a source that the ASA can reach through a backup default route.
For information on enabling ICMP inspection, see
Configure Application Layer Protocol Inspection,
.
ICMP Error Inspection
When ICMP Error inspection is enabled, the ASA creates translation sessions for intermediate hops that
send ICMP error messages, based on the NAT configuration. The ASA overwrites the packet with the
translated IP addresses.
When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP
error messages. ICMP error messages generated by the intermediate nodes between the inside host and
the ASA reach the outside host without consuming any additional NAT resource. This is undesirable
when an outside host uses the traceroute command to trace the hops to the destination on the inside of
the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with
the mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client. The ICMP error
inspection engine makes the following changes to the ICMP packet:
•
In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum
is modified.
•
In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
•
In the Payload, the following changes are made:
–
Original packet mapped IP is changed to the real IP
–
Original packet mapped port is changed to the real Port
–
Original packet IP checksum is recalculated
For information on enabling ICMP Error inspection, see
Configure Application Layer Protocol
Instant Messaging Inspection
The Instant Messaging (IM) inspect engine lets you control the network usage of IM and stop leakage
of confidential data, propagation of worms, and other threats to the corporate network.
IM inspection is not enabled by default. You must configure it if you want IM inspection.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......