Managing ICMP Traffic on Cisco ASA Post-9.7 Without Using ACLs

Managing ICMP Traffic on Cisco ASA Without ACLs

📚 Table of Contents

• Introduction
• Problem Breakdown
• Core Concepts
• Inside → Outside/DMZ
• Outside → DMZ
• MPF Deep Dive
• CLI Configuration
• CLI Output
• Why Not ACLs
• Key Takeaways
• Related Articles

📖 Introduction

Managing ICMP (ping) traffic across firewall zones is a critical task in network security. Traditionally, administrators relied heavily on ACLs to define traffic permissions. However, modern Cisco ASA versions (9.7+) introduce a more flexible and scalable approach using the Modular Policy Framework (MPF).

💡 Key Insight: MPF allows dynamic inspection-based control instead of static rule-based filtering.

🔍 Problem Breakdown

• Allow ICMP from Inside → Outside & DMZ
• Allow ICMP from Outside → DMZ
• Block ICMP from Outside → Inside

🔽 Expand: Why this is challenging

ASA uses security levels. Traffic from low to high security is denied unless explicitly allowed.

🧠 Core Concepts Explained

Security Levels

Each interface has a level (0–100). Higher → lower traffic is allowed by default.

ICMP Inspection

Allows return traffic dynamically without ACLs.

MPF (Modular Policy Framework)

A flexible system for traffic inspection and control.

➡️ Allow ICMP: Inside → Outside & DMZ

Concept

Inside has higher security, so outbound ICMP is allowed. Inspection ensures return traffic works.

Configuration

policy-map global_policy
 class inspection_default
  inspect icmp

🔽 Expand Explanation

This enables stateful ICMP tracking. Replies are automatically permitted.

🌐 Allow ICMP: Outside → DMZ (Without ACL)

Challenge

Traffic from lower to higher security is blocked by default.

Solution Strategy

• Use MPF inspection
• Use NAT exemption
• Avoid changing security levels

⚙️ MPF Deep Dive

MPF works in three layers:

1. Class Map → Identify traffic
2. Policy Map → Define action
3. Service Policy → Apply to interface

💻 CLI Configuration (Step-by-Step)

1. NAT Exemption

object network DMZ-NETWORK
 subnet 192.168.2.0 255.255.255.0
 nat (DMZ,Outside) static DMZ-NETWORK

2. Class Map

class-map ICMP-TRAFFIC
 match default-inspection-traffic

3. Policy Map

policy-map ICMP-POLICY
 class ICMP-TRAFFIC
  inspect icmp

4. Apply Policy

service-policy ICMP-POLICY interface Outside
service-policy ICMP-POLICY interface DMZ

📟 CLI Output Example

ASA# show service-policy

Global policy:
  Class inspection_default
    Inspect: icmp

Interface Outside:
  Service-policy: ICMP-POLICY
    Inspect: icmp

Ping successful to DMZ host
Ping blocked to Inside host

🔽 Expand Output Analysis

Traffic behaves exactly as required: selective ICMP allowed without ACLs.

❓ Why Not Use ACLs?

ACLs introduce:

• Manual overhead
• Complex rule management
• Higher chance of misconfiguration

MPF provides dynamic, scalable control.

🎯 Key Takeaways

• MPF replaces ACL-heavy designs
• ICMP inspection enables stateful behavior
• NAT exemption allows selective flows
• Security levels remain intact
• Configuration stays clean and scalable

📘 Final Thoughts

Modern ASA configurations favor inspection-based policies over static rules. By leveraging MPF, you gain better control, improved security, and reduced complexity.

Securing Your FTP Server in the DMZ with Cisco ASA Post-9.7: Masking Sensitive Information

Securing an FTP server, especially one located in the DMZ (Demilitarized Zone), is critical because FTP servers can often be targets for reconnaissance during cyberattacks. Information such as software version numbers, system banners, or directory structures can provide attackers with clues about potential vulnerabilities. In older versions of Cisco ASA, masking or hiding this information required a Layer 7 (L7) policy map configuration with regex patterns. However, with Cisco ASA version 9.7 and beyond, we have more efficient and straightforward methods to accomplish this task.

In this blog, we’ll walk through how to secure your FTP server by masking sensitive information using the enhanced features in ASA post-9.7.

### Why Mask FTP Information?

When a user connects to an FTP server, the server usually discloses certain information that can be exploited by attackers, such as:

- FTP software version numbers

- Host operating system details

- Directory structures or file permissions

By masking or hiding this information, you reduce the attack surface and limit the amount of detail an attacker can use for reconnaissance.

### Key Enhancements in Cisco ASA Post-9.7

Cisco ASA version 9.7 introduced significant improvements in the handling of application-level protocols like FTP. These include:

- **Better Layer 7 (L7) inspection capabilities**: Allowing for easier inspection and control over traffic at the application layer.

- **Advanced FTP inspection policies**: These policies now support more sophisticated manipulation of FTP traffic, such as masking sensitive responses from the server.

- **Streamlined configuration**: The process of configuring L7 inspection policies has been simplified, eliminating the need for complex regex matching for common tasks.

### Steps to Mask Sensitive Information on Your FTP Server Using Cisco ASA Post-9.7

#### 1. **Enable FTP Inspection** (If Not Already Done)

Before proceeding with masking, you must ensure that FTP traffic is being inspected by the ASA. If you haven’t already configured FTP inspection, you can verify this with the following commands:

class-map inspection_default

   match default-inspection-traffic

policy-map global_policy

   class inspection_default

      inspect ftp

This ensures FTP traffic is inspected by default, allowing the ASA to inspect and modify FTP commands and responses as needed.

#### 2. **Configure FTP Inspection Parameters**

In post-9.7 ASA versions, FTP-specific parameters can be added to the L7 policy map to hide or mask specific information. These parameters can block the disclosure of FTP server responses, software banners, and other sensitive details.

Create a new class map or modify an existing one to include FTP masking parameters.

class-map type inspect ftp match-any FTP_INSPECTION_CLASS

   match request-command "USER"

   match request-command "RETR"

   match request-command "STOR"

   match request-command "PWD"

policy-map type inspect ftp FTP_MASKING_POLICY

   parameters

      no-banners

      mask-reply 230

      mask-reply 257

      mask-reply 215

In this example:

- **no-banners**: Hides the FTP server’s banner information, which usually includes the FTP software version and operating system details.

- **mask-reply 230**: Masks the "Login successful" message when the user logs in. This prevents the server from leaking details about user privileges or account settings.

- **mask-reply 257**: Masks the response to the `PWD` (Print Working Directory) command, hiding sensitive directory information from the client.

- **mask-reply 215**: Masks the server response that reveals the operating system type.

These responses are common points where FTP servers can inadvertently disclose sensitive information to users.

#### 3. **Apply the FTP Inspection Policy**

Once you have configured the class map and policy map, the final step is to apply this policy to the appropriate interface or globally. Typically, for an FTP server located in the DMZ, you would apply the inspection policy on the interface connected to the DMZ.

policy-map global_policy

   class inspection_default

      inspect ftp FTP_MASKING_POLICY

This ensures that the FTP inspection policy with masking parameters is applied globally across all FTP traffic going through the ASA firewall.

#### 4. **Monitor and Verify**

After applying the configuration, it’s essential to test and verify that the information masking works as expected. You can connect to the FTP server using various user accounts and monitor the responses to ensure sensitive details like version numbers, operating system details, and directory paths are not being exposed.

You can monitor logs to confirm the policy is being enforced:

show logging | include FTP

This will provide real-time feedback on the FTP inspection policy and any actions taken by the ASA in response to FTP traffic.

#### 5. **Optional: Fine-Tune the Configuration**

Depending on the specific requirements of your FTP server and environment, you may need to fine-tune the masking policy. For instance, if there are additional FTP commands or responses that you want to mask or block, you can adjust the policy by adding more `mask-reply` lines or modifying the `parameters` section.

For example, to block or mask the output of additional FTP commands such as `LIST` or `SYST`, you could add:

match request-command "LIST"

match request-command "SYST"

This would further reduce the amount of exposed information during an FTP session.

### Conclusion

Securing your FTP server in the DMZ is crucial, and masking sensitive information is a key part of reducing the attack surface. With Cisco ASA post-9.7, masking FTP server responses has become more efficient and streamlined, leveraging enhanced Layer 7 inspection capabilities and protocol-specific configurations.

By using the `no-banners` and `mask-reply` features within the FTP inspection policy, you can effectively hide critical information that could otherwise be exploited by attackers during a reconnaissance phase. Always remember to test your configurations in a controlled environment before deploying them in production, and regularly monitor logs to ensure your policies are functioning as expected.

This modern approach to FTP protection ensures that your server remains more secure while maintaining compatibility and performance in your network environment.