Cisco ASA :: Verifying ICMP Reachability on the ASA

-

If you’re a firewall engineer or work closely with the Cisco ASA then no doubt you will often find yourself troubleshooting and verifying reachability of packets on a network. One great feature that the ASA has to test reachability is the ‘packet-tracer’ command which when given an input will provide you with a very handy output that shows how the packet would be processed through the ASA.

In this article, I will show you how we can use the packet-tracer command to verify ICMP reachability and we will also take a look at the process in which the ASA uses. For this demonstration, I am using an ASAv version (9.8) code.
By default, ICMP is not inspected on the ASA and therefore all ICMP traffic will be dropped. In order to the allow ICMP, you need to inspect it and to do this we can add the following command to the ‘global_policy’ policy-map;
class inspection_defaultinspect icmp
Once you have configured the policy-map you can then configure ACL’s to permit ICMP traffic as you desire. In this example, we will permit ICMP from a host behind the ASA firewall to any destination and another ICMP rule that permits ICMP from the second site’s public IP address to the main site’s host address.
access-list INSIDE extended permit icmp object MAIN-SITE-HOST any access-list OUTSIDE extended permit icmp object BRANCH-PUBIP object MAIN-SITE-HOSTaccess-group INSIDE in interface INSIDE1 access-group OUTSIDE in interface OUTSIDE

 

Now that we have configured the correct parameters we can either run a ping test or we can use the packet-tracer feature. In this article, we will use the packet-tracer feature to demonstrate its capabilities. Below you will see the packet-tracer command followed by a detailed output.
ciscoasa/act/pri(config)# packet-tracer input INSIDE1 icmp 192.168.10.10 8 0 209.165.100.18 detailed    Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbeda3b0b0, priority=13, domain=capture, deny=false hits=1805497, user_data=0x7fdbed256740, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=INSIDE1, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbeda1c630, priority=1, domain=permit, deny=false hits=992191, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=INSIDE1, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 209.165.100.3 using egress ifc OUTSIDE Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group INSIDE in interface INSIDE1 access-list INSIDE extended permit icmp object MAIN-SITE-HOST any Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbedb42b20, priority=13, domain=permit, deny=false hits=27, user_data=0x7fdbf92d3640, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=192.168.10.10, mask=255.255.255.255, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE1, output_ifc=any Phase: 5 Type: NAT Subtype: Result: ALLOW Config: object network MAIN-SITE-HOST nat (INSIDE1,OUTSIDE) static MAIN-SITE-HOST-NAT Additional Information: Static translate 192.168.10.10/0 to 209.165.100.4/0 Forward Flow based lookup yields rule: in id=0x7fdbeda3b350, priority=6, domain=nat, deny=false hits=3348, user_data=0x7fdbedaa1410, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.10.10, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=INSIDE1, output_ifc=OUTSIDE Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbed242ec0, priority=0, domain=nat-per-session, deny=true hits=453421, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbeda25750, priority=0, domain=inspect-ip-options, deny=true hits=282115, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=INSIDE1, output_ifc=any Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbedb213d0, priority=70, domain=inspect-icmp, deny=false hits=177198, user_data=0x7fdbedb1fe10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE1, output_ifc=any Phase: 9 Type: QOS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbedc60f80, priority=70, domain=qos-per-class, deny=false hits=561692, user_data=0x7fdbed9545c0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fdbeda24f60, priority=66, domain=inspect-icmp-error, deny=false hits=177221, user_data=0x7fdbeda244e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE1, output_ifc=any Phase: 11 Type: QOS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fdbedc60f80, priority=70, domain=qos-per-class, deny=false hits=561693, user_data=0x7fdbed9545c0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fdbed242ec0, priority=0, domain=nat-per-session, deny=true hits=453423, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fdbeda86ea0, priority=0, domain=inspect-ip-options, deny=true hits=103963, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=OUTSIDE, output_ifc=any Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 284909, packet dispatched to next module Module information for forward flow … snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow … snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_inspect_icmp snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: INSIDE1 input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
You may have noticed that I specified two ICMP codes ‘8’ and ‘0’ within the packet-tracer command, these codes represent echo(8) and echo-reply(0) packets. Click here for a full list of ICMP types.
 
Explaining each phase in detail is beyond the scope of this article but if you take a good look at each phase you should be able to see that the ASA looks for the next hop IP,  it is then matched against the ACL’s previously created before being NAT’ed and passed through additional phases. We can then see at the end of the output in the final result that the ICMP traffic is permitted.
 
#Cisco #ASAICMPPacketTracer #asa #ASAPackettracer #ICMP #AdaptiveSecurityAppliance #ciscoasa #PacketTracerICMP #ICMPtypes
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more