Options
Basic ASA q from non ccsp student
creamy_stew
Member Posts: 406 ■■■□□□□□□□
Hello ASA gurus 
I was looking through an ASA config at work this week, and it seems to use a single set of inspection rules for all interfaces by default. I'm I interpreting the config correctly?
I've really only changed a few access lists and NAT rules through the ASDM before (our main fw is not an ASA). Whats caused me to look into this was the fact that I couldn't ping anything (and so thought I had total loss of connectivity) I looked through the running config and noticed the inspect rules and noticed there was no entry for icmp, so I added that and everything was good.
I was looking through an ASA config at work this week, and it seems to use a single set of inspection rules for all interfaces by default. I'm I interpreting the config correctly?
I've really only changed a few access lists and NAT rules through the ASDM before (our main fw is not an ASA). Whats caused me to look into this was the fact that I couldn't ping anything (and so thought I had total loss of connectivity) I looked through the running config and noticed the inspect rules and noticed there was no entry for icmp, so I added that and everything was good.
Comments
-
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
By default there is a global policy that applies to all traffic, and yup you need to add ICMP inspection manually (I'd add ICMP ERROR too for tracing). You can create and apply a distinct policy to each interface if you wish, it will override any matching settings in the global policy.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Optionscreamy_stew
Member Posts: 406 ■■■□□□□□□□
Cool, thanks Ahriakin!
The ASAs seem pretty nice, and the ASDM actually seems usable unlike the SDM. -
Options
shednik
Member Posts: 2,005
creamy_stew wrote: »Cool, thanks Ahriakin!
The ASAs seem pretty nice, and the ASDM actually seems usable unlike the SDM.
It has its moments though don't you worry -
Options
mikearama
Member Posts: 749
By default there is a global policy that applies to all traffic, and yup you need to add ICMP inspection manually (I'd add ICMP ERROR too for tracing). You can create and apply a distinct policy to each interface if you wish, it will override any matching settings in the global policy.
Ahriakin, can I ask a follow up? I don't understand how adding a check to the ICMP ERROR box aids in tracing. Can I get you to elaborate? This sounds interesting.
Thanks,
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Options
kryolla
Member Posts: 785
it might have something to do with time exceeded and port unreachableStudying for CCIE and drinking Home Brew -
OptionsAhriakin
Member Posts: 1,799 ■■■■■■■■□□
ICMP Error messages include the original IP header and usually the first 64bytes of the packet that elicited the failure response, inspecting ICMP error allows the ASA to use the details in that original packet to decide if the reply packet is really a stateful reply (it also allows NAT fixups to be performed if need be). A classic example is in a trace as the TTLs expire the intermediate routers will respond with a packet sourced from their own address, but since they were not the target they do not match a flow and are dropped, with error inspection enabled the ASA can see from the embedded packet data that it should be allowed.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
