Friday, November 18, 2016

Allow Pings (ICMP) & Traceroutes through Cisco ASA Firewalls

ASA Firewalls does not allow ICMP traffic to pass through it's interfaces by default. For real scenarios it is better that way in terms of security concerns. But for lab purposes and to verify implementations you will need it to be allowed from Firewall.













How ICMP is blocked by Firewalls?

It is done by the inspection rules under default service policy. What ASA does is remember the traffic which passes through it from higher security zones to lower security zones so that their return traffic will be allowed to enter. It is called the stateful inspection. Inspection rules define which traffic to inspect; by default ICMP is not in that list. So it does not remember the ICMP traffic so that the return traffic will not allowed to pass through.

Note that "from higher security zones to lower security zones" are highlighted because if the security level is equal, traffic will not needed to be inspected and any traffic will pass through. But even between zones of same security levels, your pings will be dropped because routing traffic between interfaces/zones which are on same security levels are disabled by default on the ASA.

Allow ICMP through Interfaces/Zones of Different Security Levels

Go to ASDM > Configuration > Firewall > Service Policy Rules


(click on the images to view in original size)

You can see the global default service policy is applied with 13 inspection rules.

Hover over the mouse pointer to see the traffic types which is inspected.



Now select the service policy and click edit or just double click on the service policy to go to Edit Service Policy Rule.

Go to Rule Actions and tick ICMP and ICMP Error


Click Ok and Hit Apply.

Now the pings and traceroutes will be working from INSIDE PC to OUTSIDE PC

Note: From OUTSIDE to INSIDE will be never pinged because the INSIDE security level is higher than the OUTSIDE security level.



Allow ICMP through Interfaces/Zones of Same Security Levels 

If the security levels are same, no need to change the service policy rules.


Just go to ASDM > Device Setup > Interface Settings > Interfaces and tick Enable traffic between two or more interfaces which are configured with same security levels and Hit Apply.

0 comments to “Allow Pings (ICMP) & Traceroutes through Cisco ASA Firewalls”

Post a Comment