With the introduction of Cisco ASA Software version 9.7, handling ICMP messages on the firewall saw a significant improvement. Previously, ICMP controls on ASA were rudimentary and not very granular. ICMP control was handled in an inbound direction only, and special commands were required to allow or deny specific ICMP messages on the interfaces. Moreover, the ASA could be pinged from any side by default, but broadcast pings were dropped. However, post-9.7, Cisco made changes that provided better control and flexibility for managing ICMP traffic.
In this blog, we will go over how ASA manages ICMP traffic in modern implementations, especially focusing on the improvements in ASA version 9.7 and later.
---
### 1. **ICMP Control in ASA Pre-9.7**
In the older versions of ASA, ICMP traffic controls were basic and mostly worked in the inbound direction. The firewall allowed ICMP messages on an interface, and by default, it was possible to ping the ASA from any interface except for broadcast pings. ICMP messages like echo requests could be allowed or blocked using access control lists (ACLs) and the `icmp` command. The configuration was done as follows:
- **Allow ICMP on Specific Interface**:
icmp permit any outside
icmp permit any inside
This would allow all ICMP traffic inbound on both the outside and inside interfaces.
However, this approach had limitations, and there was no fine-tuned control over different ICMP types or how ICMP messages were managed in different directions. This limited functionality could be cumbersome in environments where granular control over ICMP was essential.
---
### 2. **Changes in ASA Post-9.7**
Starting with ASA version 9.7, Cisco introduced a more sophisticated way to handle ICMP traffic. Instead of relying solely on the old `icmp` command, administrators could now leverage access control lists (ACLs) for more granular control of ICMP traffic, including support for ICMP types, codes, and directions. The new method also simplifies the process and enhances security.
Key improvements include:
- **Granular Control**: ACLs now support ICMP message type and code filtering.
- **Inbound and Outbound ICMP Control**: ACLs can now be used to control ICMP messages in both inbound and outbound directions.
- **Enhanced Security**: ICMP can be restricted to specific hosts, subnets, or even particular ICMP message types, providing better security control.
Let’s walk through the modern approach to ICMP configuration on ASA post-9.7.
---
### 3. **Allowing ICMP on Specific Interfaces (Post-9.7)**
Post-9.7, ASA provides more refined controls using the familiar access-list commands to permit or deny ICMP traffic based on parameters like source, destination, ICMP type, and code.
#### **Example 1: Allowing ICMP (Ping) on the Outside Interface**
Instead of using the old `icmp` command, you now configure ICMP access through ACLs. For instance, to allow ICMP echo requests (ping) from a trusted network to the firewall on the outside interface:
1. **Create an ACL to allow ICMP echo requests**:
access-list ICMP_ALLOW extended permit icmp any any echo-reply
2. **Apply the ACL to the outside interface**:
access-group ICMP_ALLOW in interface outside
This configuration allows ICMP echo replies to be received on the outside interface, which permits ping responses from the ASA.
#### **Example 2: Denying Specific ICMP Types**
If you want to block certain types of ICMP traffic, such as timestamp requests or redirects, you can configure the ACL to deny these specific ICMP messages. For instance:
1. **Create an ACL to deny ICMP redirects**:
access-list ICMP_BLOCK extended deny icmp any any redirect
2. **Permit other ICMP types or allow ping from a specific network**:
access-list ICMP_BLOCK extended permit icmp any any echo-request
3. **Apply the ACL to the desired interface**:
access-group ICMP_BLOCK in interface outside
This ensures that ICMP redirects are blocked, while allowing other ICMP types, such as echo requests (pings), to pass.
---
### 4. **Controlling ICMP on All Interfaces**
If you want to ensure uniform control of ICMP messages across all interfaces, you can define a global access-list and apply it globally.
#### **Example: Applying a Global ICMP Policy**
1. **Create a global ACL for ICMP**:
access-list GLOBAL_ICMP extended permit icmp any any echo-reply
access-list GLOBAL_ICMP extended deny icmp any any redirect
2. **Apply the ACL globally**:
access-group GLOBAL_ICMP global
This global access-list applies the same ICMP controls across all interfaces of the ASA, simplifying management in larger, more complex environments.
---
### 5. **Best Practices for ICMP on ASA**
With these new capabilities in ASA 9.7+, you can implement best practices to manage ICMP traffic securely:
- **Use ACLs for Granular Control**: Leverage ACLs to control ICMP traffic with fine granularity, blocking unnecessary ICMP types like redirects or timestamp requests.
- **Limit ICMP to Trusted Networks**: Restrict ICMP messages to specific source IP addresses or subnets, reducing the attack surface.
- **Control ICMP in Both Directions**: Apply ACLs to both inbound and outbound traffic for better control over how ICMP messages traverse the network.
- **Monitor ICMP Traffic**: Regularly review ICMP logs to monitor for any unusual activity or potential threats, as ICMP can be used for reconnaissance or denial-of-service attacks.
---
### 6. **Conclusion**
Cisco ASA version 9.7 brought significant improvements to ICMP control. Administrators now have more granular, flexible, and secure ways to manage ICMP traffic using ACLs rather than the old, more limited `icmp` commands. Whether you need to allow pings to the firewall, block specific ICMP types, or apply global policies, ASA post-9.7 provides the tools necessary to fine-tune ICMP control to meet modern security requirements.
By following the guidelines and examples provided in this blog, you can effectively manage ICMP traffic on your ASA firewall, ensuring better security while allowing necessary diagnostics and network communications.
