Managing ICMP Traffic on Cisco ASA Post-9.7 Without Using ACLs

Managing ICMP Traffic on Cisco ASA Without ACLs

📚 Table of Contents

• Introduction
• Problem Breakdown
• Core Concepts
• Inside → Outside/DMZ
• Outside → DMZ
• MPF Deep Dive
• CLI Configuration
• CLI Output
• Why Not ACLs
• Key Takeaways
• Related Articles

📖 Introduction

Managing ICMP (ping) traffic across firewall zones is a critical task in network security. Traditionally, administrators relied heavily on ACLs to define traffic permissions. However, modern Cisco ASA versions (9.7+) introduce a more flexible and scalable approach using the Modular Policy Framework (MPF).

💡 Key Insight: MPF allows dynamic inspection-based control instead of static rule-based filtering.

🔍 Problem Breakdown

• Allow ICMP from Inside → Outside & DMZ
• Allow ICMP from Outside → DMZ
• Block ICMP from Outside → Inside

🔽 Expand: Why this is challenging

ASA uses security levels. Traffic from low to high security is denied unless explicitly allowed.

🧠 Core Concepts Explained

Security Levels

Each interface has a level (0–100). Higher → lower traffic is allowed by default.

ICMP Inspection

Allows return traffic dynamically without ACLs.

MPF (Modular Policy Framework)

A flexible system for traffic inspection and control.

➡️ Allow ICMP: Inside → Outside & DMZ

Concept

Inside has higher security, so outbound ICMP is allowed. Inspection ensures return traffic works.

Configuration

policy-map global_policy
 class inspection_default
  inspect icmp

🔽 Expand Explanation

This enables stateful ICMP tracking. Replies are automatically permitted.

🌐 Allow ICMP: Outside → DMZ (Without ACL)

Challenge

Traffic from lower to higher security is blocked by default.

Solution Strategy

• Use MPF inspection
• Use NAT exemption
• Avoid changing security levels

⚙️ MPF Deep Dive

MPF works in three layers:

1. Class Map → Identify traffic
2. Policy Map → Define action
3. Service Policy → Apply to interface

💻 CLI Configuration (Step-by-Step)

1. NAT Exemption

object network DMZ-NETWORK
 subnet 192.168.2.0 255.255.255.0
 nat (DMZ,Outside) static DMZ-NETWORK

2. Class Map

class-map ICMP-TRAFFIC
 match default-inspection-traffic

3. Policy Map

policy-map ICMP-POLICY
 class ICMP-TRAFFIC
  inspect icmp

4. Apply Policy

service-policy ICMP-POLICY interface Outside
service-policy ICMP-POLICY interface DMZ

📟 CLI Output Example

ASA# show service-policy

Global policy:
  Class inspection_default
    Inspect: icmp

Interface Outside:
  Service-policy: ICMP-POLICY
    Inspect: icmp

Ping successful to DMZ host
Ping blocked to Inside host

🔽 Expand Output Analysis

Traffic behaves exactly as required: selective ICMP allowed without ACLs.

❓ Why Not Use ACLs?

ACLs introduce:

• Manual overhead
• Complex rule management
• Higher chance of misconfiguration

MPF provides dynamic, scalable control.

🎯 Key Takeaways

• MPF replaces ACL-heavy designs
• ICMP inspection enables stateful behavior
• NAT exemption allows selective flows
• Security levels remain intact
• Configuration stays clean and scalable

📘 Final Thoughts

Modern ASA configurations favor inspection-based policies over static rules. By leveraging MPF, you gain better control, improved security, and reduced complexity.