ASA default + implicit rules

wavewave Member Posts: 342
Hi everyone,

I've been labbing with ASA 8.4 in GNS3 and in this case I have no access rules configured, default implicit rules only.

Based on these rules (ASA default behavior) I understand that if I ping from a machine connected to an inside interface with a security level of 100, to a machine on a DMZ interface, security level 50, I should receive a response right? i.e. the icmp echo response path will be opened for the return packets.

I've tested using packet tracer in the asdm and via the cli. Both times I receive OKs all the way through but my pings are failing.

I have a router acting as a client machine on the DMZ interface and I ran debug ip packet detail went I sent the pings. I can see the router receiving my packets and sending the response that never makes it back to me.

If I add a permit ip any any rule under the DMZ interface, or even a permit icmp echo response rule, I receive ping responses.

I know that in GNS3 I need to have each machine/router connected to an etherswitch before it connects to the ASA.

Just hoping for a sanity check here before I drop some money on rack time to test.

ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Yes, the ASA should be facilitating inspection as the default behavior, allowing the return traffic. Do you have ACL's applied anywhere beside the 'permit' you referenced? My understanding is that an ACL will completely override the default behavior.

    My suggestion at this point is checking syslog messages; if the ASA is dropping the packets, it should show up in the logs.
  • wavewave Member Posts: 342
    YFZblu wrote: »
    Yes, the ASA should be facilitating inspection as the default behavior, allowing the return traffic. Do you have ACL's applied anywhere? My understanding is that an ACL will completely override the default behavior.

    My suggestion at this point is checking syslog messages; the ASA should log dropped packets and give you more details.

    No ACLs anywhere, even removed all objects and confirmed everything was clean at the CLI. I can see all of the default implicit rules in the ASDM. Yes, I should setup syslog and see what's happening. Do you know if there's an equivalent to "debug ip packet detail" on the ASA? I couldn't find anything earlier.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Were you able to resolve this?
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Make sure you are actually inspecting ICMP...very important.
  • wavewave Member Posts: 342
    Make sure you are actually inspecting ICMP...very important.

    Ah! I bet that's it. Will check this morning and report back. I found this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • doverdover Member Posts: 184 ■■■■□□□□□□
    Agree with Cisco_trooper, the default service policy inspection doesn't include ICMP or ICMP error inspection. So if I remember correctly the outbound packets are being allowed - higher to lower security - but the inbound returns are being denied by the global default deny. If they were being inspected they would be created as a connection and return traffic would be allowed despite the global rule.

    I should lab this to make sure I'm not giving you false information but its way too early for that. I'll try to do it later.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Here's something strange - I attempted to lab this scenario, using two routers as hosts. The pings weren't successful, but according to the Packet Tracer feature in ASA the packet should have been allowed; inspection was performed as well.

    I just wiped the router configs and gave them just enough to make this scenario work, so I know there weren't any ACL's on the hosts blocking anything, and I ensured I was going from 100 to 0 as far as policy is concerned. Each host was able to ping their default gateway (ASA SVI) as well.

    Wish I had more time to mess with this this morning, I'll try again tonight.
  • KrekenKreken Member Posts: 284
    How is your NAT setup?
  • wavewave Member Posts: 342
    I added the following inspection rule and am now getting replies:


    hostname(config)# class-map icmp-class


    hostname(config-cmap)# match default-inspection-traffic


    hostname(config-cmap)# exit


    hostname(config)# policy-map icmp_policy


    hostname(config-pmap)# class icmp-class


    hostname(config-pmap-c)# inspect icmp


    hostname(config-pmap-c)# exit


    hostname(config)# service-policy icmp_policy interface outside


    Reference: Cisco ASA 5500 Series Command Reference, 8.2 - inspect ctiqbe -- inspect xdmcp  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?
  • wavewave Member Posts: 342
    YFZblu wrote: »
    Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?

    I find it annoying also!

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    You'll get used to it.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    YFZblu wrote: »
    Am I the only person slightly annoyed that the ASA CLI syntax differs from routers?
    You can thank the legacy that is PIX. icon_sad.gif
  • wavewave Member Posts: 342
    I thought a little more about this issue and was puzzled at why I could receive HTTP responses, web page in browser, with no HTTP inspection rules. I checked and HTTP is not listed as a protocol which is inspected by default: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring a Service Policy  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    I removed all service policies from my ASA and ICMP died but HTTP still worked. It turns out that the ASA is inspecting TCP and UDP by default but this isn't in the default list. The ASA is able to keep track of HTTP because it is stateful, as opposed to ICMP which is essentially stateless.

    See forum discussions:

    networking-forum.com - View topic - ASA by default does not inspect http or icmp <-- I like this response heh "No idea. ASAs are just weird."

    ASA default inspection query - IEOC - INE's Online Community

    https://learningnetwork.cisco.com/thread/27340

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
Sign In or Register to comment.