CCIE Security V4 Technology Labs  Section 5:

Perimeter Security and Services - ASA Firewalls


ICMP Traffic
Last updated: May 22, 2013

Task
Configure the firewall such that no one could ping it. However, make sure firewall itself is able to ping
anyone.
Additionally, make sure that pMTU discovery and traceroute work successfully from the firewall.
All other ICMP messages terminating on firewall interfaces should be discarded.

Overview
Back in PIX 6.x, all ICMP message terminating on the firewall were discarded. This default behavior
has changed since version 7.x, and now the firewall accepts ICMP messages by default. However,
the firewall does not respond to ICMP messages send to the subnet broadcast address.

If you need to filter any specific ICMP message type, you should to create at least one explicit
ICMP rule. This will automatically block all other ICMP message types, until they are permitted
explicitly. You can also deny an ICMP message type explicitly for one subnet, while allowing it for
some others. The ICMP rule statement has the following syntax
icmp {permit|deny} <subnet> <mask> <interface>. You can use the keyword any instead of
0.0.0.0 0.0.0.0.

For example, if you want to allow the ASA to ping any outside destination, but do not respond to
echo requests, configure the following rule alone:

icmp permit any echo-reply outside

If you want the ASA to be able to perform traceroute operation, configure the firewall to accept ICMP
time-exceeded and unreachable messages. It is always recommended to allow the firewall to
accept unreachable messages, as the message type: fragmentation required but DF bit set is used
by the Path MTU (mPTU) discovery process.

Configuration:
ASA1:
 icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo-reply dmz1
icmp permit any echo-reply dmz2
!
icmp permit any time-exceeded outside
icmp permit any unreachable outside
!
icmp permit any time-exceeded inside
icmp permit any unreachable inside
!
icmp permit any time-exceeded dmz1
icmp permit any time-exceeded dmz2
icmp permit any unreachable dmz1
icmp permit any unreachable dmz2

Verification
Ping and traceroute off the firewall unit and see that the commands are working now. At the same
time, pinging the firewall unit itself would fail.

Rack1ASA1(config)# ping 136.1.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Rack1ASA1(config)# ping 136.1.121.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.121.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Rack1ASA1(config)# ping 10.0.0.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Rack1ASA1(config)# trace 10.0.0.101

Type escape sequence to abort.

Tracing the route to 10.0.0.101

1 10.0.0.101 0 msec 0 msec 0 msec

Rack1ASA1(config)# trace 136.1.0.2
Type escape sequence to abort.
Tracing the route to 136.1.0.2

1 136.1.0.2 0 msec * 0 msec

Rack1ASA1(config)# trace 136.1.121.1

Type escape sequence to abort.

Tracing the route to 136.1.121.1

1 136.1.121.1 0 msec * 0 msec

Rack1ASA1(config)#

Rack1R2#ping 136.1.121.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.121.12, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack1R2#

Rack1R1#ping 136.1.121.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.121.12, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack1R1#