ASA default + implicit rules

wave

Hi everyone,

I've been labbing with ASA 8.4 in GNS3 and in this case I have no access rules configured, default implicit rules only.

Based on these rules (ASA default behavior) I understand that if I ping from a machine connected to an inside interface with a security level of 100, to a machine on a DMZ interface, security level 50, I should receive a response right? i.e. the icmp echo response path will be opened for the return packets.

I've tested using packet tracer in the asdm and via the cli. Both times I receive OKs all the way through but my pings are failing.

I have a router acting as a client machine on the DMZ interface and I ran debug ip packet detail went I sent the pings. I can see the router receiving my packets and sending the response that never makes it back to me.

If I add a permit ip any any rule under the DMZ interface, or even a permit icmp echo response rule, I receive ping responses.

I know that in GNS3 I need to have each machine/router connected to an etherswitch before it connects to the ASA.

Just hoping for a sanity check here before I drop some money on rack time to test.

YFZblu

Yes, the ASA should be facilitating inspection as the default behavior, allowing the return traffic. Do you have ACL's applied anywhere beside the 'permit' you referenced? My understanding is that an ACL will completely override the default behavior.

My suggestion at this point is checking syslog messages; if the ASA is dropping the packets, it should show up in the logs.

wave

YFZblu wrote: »

Yes, the ASA should be facilitating inspection as the default behavior, allowing the return traffic. Do you have ACL's applied anywhere? My understanding is that an ACL will completely override the default behavior.

My suggestion at this point is checking syslog messages; the ASA should log dropped packets and give you more details.

No ACLs anywhere, even removed all objects and confirmed everything was clean at the CLI. I can see all of the default implicit rules in the ASDM. Yes, I should setup syslog and see what's happening. Do you know if there's an equivalent to "debug ip packet detail" on the ASA? I couldn't find anything earlier.

YFZblu

Were you able to resolve this?

cisco_trooper

Make sure you are actually inspecting ICMP...very important.

wave

cisco_trooper wrote: »

Make sure you are actually inspecting ICMP...very important.

Ah! I bet that's it. Will check this morning and report back. I found this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

dover

Agree with Cisco_trooper, the default service policy inspection doesn't include ICMP or ICMP error inspection. So if I remember correctly the outbound packets are being allowed - higher to lower security - but the inbound returns are being denied by the global default deny. If they were being inspected they would be created as a connection and return traffic would be allowed despite the global rule.

I should lab this to make sure I'm not giving you false information but its way too early for that. I'll try to do it later.

YFZblu

Here's something strange - I attempted to lab this scenario, using two routers as hosts. The pings weren't successful, but according to the Packet Tracer feature in ASA the packet should have been allowed; inspection was performed as well.

I just wiped the router configs and gave them just enough to make this scenario work, so I know there weren't any ACL's on the hosts blocking anything, and I ensured I was going from 100 to 0 as far as policy is concerned. Each host was able to ping their default gateway (ASA SVI) as well.

Wish I had more time to mess with this this morning, I'll try again tonight.

Kreken

How is your NAT setup?

wave

I added the following inspection rule and am now getting replies:


hostname(config)# class-map icmp-class

hostname(config-cmap)# match default-inspection-traffic

hostname(config-cmap)# exit

hostname(config)# policy-map icmp_policy

hostname(config-pmap)# class icmp-class

hostname(config-pmap-c)# inspect icmp

hostname(config-pmap-c)# exit

hostname(config)# service-policy icmp_policy interface outside

Reference: Cisco ASA 5500 Series Command Reference, 8.2 - inspect ctiqbe -- inspect xdmcp  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

YFZblu

Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?

wave

YFZblu wrote: »

Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?

I find it annoying also!

cisco_trooper

You'll get used to it.

astorrs

YFZblu wrote: »

Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?

You can thank the legacy that is PIX.

wave

I thought a little more about this issue and was puzzled at why I could receive HTTP responses, web page in browser, with no HTTP inspection rules. I checked and HTTP is not listed as a protocol which is inspected by default: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring a Service Policy  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

I removed all service policies from my ASA and ICMP died but HTTP still worked. It turns out that the ASA is inspecting TCP and UDP by default but this isn't in the default list. The ASA is able to keep track of HTTP because it is stateful, as opposed to ICMP which is essentially stateless.

See forum discussions:

networking-forum.com - View topic - ASA by default does not inspect http or icmp <-- I like this response heh "No idea. ASAs are just weird."

ASA default inspection query - IEOC - INE's Online Community

https://learningnetwork.cisco.com/thread/27340