Basic ASA q from non ccsp student

creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
Hello ASA gurus :)

I was looking through an ASA config at work this week, and it seems to use a single set of inspection rules for all interfaces by default. I'm I interpreting the config correctly?

I've really only changed a few access lists and NAT rules through the ASDM before (our main fw is not an ASA). Whats caused me to look into this was the fact that I couldn't ping anything (and so thought I had total loss of connectivity) I looked through the running config and noticed the inspect rules and noticed there was no entry for icmp, so I added that and everything was good.
Itchy... Tasty!
[X] DCICN
[X] IINS

[ ] CCDA
[ ] DCICT

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    By default there is a global policy that applies to all traffic, and yup you need to add ICMP inspection manually (I'd add ICMP ERROR too for tracing). You can create and apply a distinct policy to each interface if you wish, it will override any matching settings in the global policy.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Cool, thanks Ahriakin!

    The ASAs seem pretty nice, and the ASDM actually seems usable unlike the SDM.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • shednikshednik Member Posts: 2,005
    Cool, thanks Ahriakin!

    The ASAs seem pretty nice, and the ASDM actually seems usable unlike the SDM.

    It has its moments though don't you worry :)
  • mikearamamikearama Member Posts: 749
    Ahriakin wrote: »
    By default there is a global policy that applies to all traffic, and yup you need to add ICMP inspection manually (I'd add ICMP ERROR too for tracing). You can create and apply a distinct policy to each interface if you wish, it will override any matching settings in the global policy.

    Ahriakin, can I ask a follow up? I don't understand how adding a check to the ICMP ERROR box aids in tracing. Can I get you to elaborate? This sounds interesting.

    Thanks,
    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • kryollakryolla Member Posts: 785
    it might have something to do with time exceeded and port unreachable
    Studying for CCIE and drinking Home Brew
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    ICMP Error messages include the original IP header and usually the first 64bytes of the packet that elicited the failure response, inspecting ICMP error allows the ASA to use the details in that original packet to decide if the reply packet is really a stateful reply (it also allows NAT fixups to be performed if need be). A classic example is in a trace as the TTLs expire the intermediate routers will respond with a packet sourced from their own address, but since they were not the target they do not match a flow and are dropped, with error inspection enabled the ASA can see from the embedded packet data that it should be allowed.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.