Make Allowing Ping Easier – Enable ICMP Inspection on Cisco ASA

So you have your shiny new (or new to you) Cisco ASA setup just the way you like it. You’ve allowed only what is needed to pass from one interface to another. Life is good.

Until…

You’re hit with the requirement to allow something to ping something else on another interface.

Great…

You’ll just add an ACL on the incoming interface to allow ICMP right?

Not so fast!

When it comes to stateful TCP traffic, the ASA will automatically allow the returning packets if the initiating traffic was allowed by your ACL. Unfortunately, ICMP doesn’t contain the necessary connection information, such as port numbers or sequence numbers, to allow for the same behavior.

This means your ping reply will never make it through (unless your destination interface is a lower security level and you don’t have a default drop on every interface, but that’s a whole ‘nother topic!).

We have two primary options to resolve this:

Add another ACL on the returning interface explicitly allowing the ICMP traffic (yuck)

or

Enable ICMP inspection (hint: this is what you want to do)

Let’s dig into those.

Option #1: Adding ACL to allow ICMP reply traffic

I’m not going to get too far into this, but the premise is simple.

On the interface facing the host that will be initiating the ping you’ll create an ACL allowing icmp/echo to your destination host.

Something like

access-list INTERFACEA_access_in extended permit icmp object HOSTA object HOSTB echo

Then, on the interface facing the host that will be receiving the ping and replying you’ll create another ACL allowing icmp/echo-reply to your source host.

Something like

access-list INTERFACEB_access_in extended permit icmp object HOSTB object HOSTA echo-reply

As you can guess, this can get messy really quickly since you’re doubling up your ACLs just for ping. It also becomes hard to troubleshoot when you have multiple firewalls in line and you’re trying to track down which one is missing the return ACL and killing the whole thing.

This is where our second, and more preferred, option of enabling ICMP inspection comes into play.

Option #2: Enabling ICMP Inspection on Cisco ASA Firewall

Enabling “inspect icmp” on the ASA will allow the ASA to dynamically create ACLs and allow the return echo-reply, timestamp reply, time-exceeded, and destination unreachables to reach the initiating host.

To do this we need to make a modification to the default policy map (assuming you’re using the default policy-map, which most likely are) and it’s associated class map. We can do this with the following command:

policy-map global_policy
  class inspection_default
   inspect icmp

If you get an error when running that command it’s likley that your ASA was somehow configured without a default policy map and class map or that someone removed it at some point. If this is the case, you can recreate it and append it with the icmp inspection at the same time with the following config commands:

class-map inspection_default
  match default-inspection-traffic
policy-map global_policy
  class inspection_default
   inspect ftp
   inspect h323 h225
   inspect h323 ras    
   inspect ip-options
   inspect netbios
   inspect rsh
   inspect rtsp
   inspect skinny
   inspect esmtp
   inspect sqlnet
   inspect sunrpc
   inspect tftp
   inspect sip
   inspect xdmcp
   inspect icmp
service-policy global_policy global

At this point, you should be able to create your ACL on your incoming interface allowing icmp/echo to your destination host and the traffic will pass both ways. Keep in mind that if you have any firewalls in the path you’ll need to do this on all of them (and create your source interface ACL on all of them) for your pings to make it all the way through and back.

In my situation I inherited a fleet of firewalls that needed this configuration to aid in cleaning up a mess of egress and ingress ICMP ACL madness and I used Solarwinds Network Configuration Manager (NCM) to automate pushing this to all of them, saving me a ton of work ( and work = the company’s money).

I also want to make the side note here that I only allowed icmp/echo and icmp/echo-reply in my post. I did this because it’s all you need for a simple ping. If you are allowing icmp without specifying echo then you’re allowing the entire ICMP protocol which is not advised. You can do a lot more with ICMP than just ping so you’re inadvertently giving more access than what you really need.

Please only use echo if you only need ping.

As always, if you have any questions, comments, or corrections (I’ve never claimed to be perfect!), leave them in the comments below.

Good luck!

Recommended for You: Solarwinds Network Configuration Manager (NCM)

What would you do if one of your pieces of networking equipment failed? Could you rebuild it quickly? Do you know exactly what configuration it had? What ports were on what vlan? What about port channels?

You get the point.

Automate backing up configurations and updating of all your switching, routing, and firewall equipment without needing to know a single line of code with Solarwinds Network Configuration Manager.

This is one of those tools that pays for itself in man hours the first time you need to rely on it. Plus, you’ll sleep easier knowing you really have backed up all the things.

One thought on “Make Allowing Ping Easier – Enable ICMP Inspection on Cisco ASA

  • May 11, 2020 at 2:20 AM
    Permalink

    Thanks for the article. How do we allow ICMPv6 through the ASA?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *