July 19, 2018

Cisco ASA :: Verifying ICMP Reachability on the ASA

(Last Updated On: 16th January 2018)

If you’re a firewall engineer or work closely with the Cisco ASA then no doubt you will often find yourself troubleshooting and verifying reachability of packets on a network. One great feature that the ASA has to test reachability is the ‘packet-tracer’ command which when given an input will provide you with a very handy output that shows how the packet would be processed through the ASA.

In this article, I will show you how we can use the packet-tracer command to verify ICMP reachability and we will also take a look at the process in which the ASA uses. For this demonstration, I am using an ASAv version (9.8) code.

By default, ICMP is not inspected on the ASA and therefore all ICMP traffic will be dropped. In order to the allow ICMP, you need to inspect it and to do this we can add the following command to the ‘global_policy’ policy-map;

class inspection_default

inspect icmp

Once you have configured the policy-map you can then configure ACL’s to permit ICMP traffic as you desire. In this example, we will permit ICMP from a host behind the ASA firewall to any destination and another ICMP rule that permits ICMP from the second site’s public IP address to the main site’s host address.

access-list INSIDE extended permit icmp object MAIN-SITE-HOST any
access-list OUTSIDE extended permit icmp object BRANCH-PUBIP object MAIN-SITE-HOST

access-group INSIDE in interface INSIDE1
access-group OUTSIDE in interface OUTSIDE




Now that we have configured the correct parameters we can either run a ping test or we can use the packet-tracer feature. In this article, we will use the packet-tracer feature to demonstrate its capabilities. Below you will see the packet-tracer command followed by a detailed output.

ciscoasa/act/pri(config)# packet-tracer input INSIDE1 icmp 192.168.10.10 8 0 209.165.100.18 detailed   

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbeda3b0b0, priority=13, domain=capture, deny=false
hits=1805497, user_data=0x7fdbed256740, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=INSIDE1, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbeda1c630, priority=1, domain=permit, deny=false
hits=992191, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE1, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 209.165.100.3 using egress ifc OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE1
access-list INSIDE extended permit icmp object MAIN-SITE-HOST any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbedb42b20, priority=13, domain=permit, deny=false
hits=27, user_data=0x7fdbf92d3640, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=192.168.10.10, mask=255.255.255.255, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE1, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network MAIN-SITE-HOST
nat (INSIDE1,OUTSIDE) static MAIN-SITE-HOST-NAT
Additional Information:
Static translate 192.168.10.10/0 to 209.165.100.4/0
Forward Flow based lookup yields rule:
in id=0x7fdbeda3b350, priority=6, domain=nat, deny=false
hits=3348, user_data=0x7fdbedaa1410, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.10, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE1, output_ifc=OUTSIDE

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbed242ec0, priority=0, domain=nat-per-session, deny=true
hits=453421, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbeda25750, priority=0, domain=inspect-ip-options, deny=true
hits=282115, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE1, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbedb213d0, priority=70, domain=inspect-icmp, deny=false
hits=177198, user_data=0x7fdbedb1fe10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE1, output_ifc=any

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbedc60f80, priority=70, domain=qos-per-class, deny=false
hits=561692, user_data=0x7fdbed9545c0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fdbeda24f60, priority=66, domain=inspect-icmp-error, deny=false
hits=177221, user_data=0x7fdbeda244e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE1, output_ifc=any

Phase: 11
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fdbedc60f80, priority=70, domain=qos-per-class, deny=false
hits=561693, user_data=0x7fdbed9545c0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fdbed242ec0, priority=0, domain=nat-per-session, deny=true
hits=453423, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fdbeda86ea0, priority=0, domain=inspect-ip-options, deny=true
hits=103963, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 284909, packet dispatched to next module
Module information for forward flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: INSIDE1
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

 

You may have noticed that I specified two ICMP codes ‘8’ and ‘0’ within the packet-tracer command, these codes represent echo(8) and echo-reply(0) packets. Click here for a full list of ICMP types.

Explaining each phase in detail is beyond the scope of this article but if you take a good look at each phase you should be able to see that the ASA looks for the next hop IP,  it is then matched against the ACL’s previously created before being NAT’ed and passed through additional phases. We can then see at the end of the output in the final result that the ICMP traffic is permitted.

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: