ICMP Inspecition tracks ICMP traffic so replies are only allowed when they match a request(one request-one reply).

ASA create something like tcp session but for ICMP. It scans ICMP for source and destination address,icmp type, identification number and sequence number.

 

EXAMPLE1

ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3429 seq=1 len=56
ICMP echo request translating inside:10.10.1.10/3429 to outside:91.223.184.147/31611
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=31611 seq=1 len=56
ICMP echo reply untranslating outside:91.223.184.147/31611 to inside:10.10.1.10/3429

 

EXAMPLE2

ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3480 seq=1 len=56
ICMP echo request translating inside:10.10.1.10/3480 to outside:91.223.184.147/14000
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=14000 seq=1 len=56
ICMP echo reply untranslating outside:91.223.184.147/14000 to inside:10.10.1.10/3480
ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3480 seq=2 len=56
ICMP echo request translating inside:10.10.1.10/3480 to outside:91.223.184.147/14000
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=14000 seq=2 len=56
ICMP echo reply untranslating outside:91.223.184.147/14000 to inside:10.10.1.10/3480

 

ICMP Error Inspection

When ICMP Error inspection is disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP error messages.  When the ASA does not translate the intermediate hops, all the intermediate hops appear with the mapped destination IP address.(see test1).

The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client.

The ICMP error inspection engine makes the following changes to the ICMP packet:

  •  In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP   checksum is modified
  • In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
  • In the Payload, the following changes are made:
        – Original packet mapped IP is changed to the real IP
        – Original packet mapped port is changed to the real port
        – Original packet IP checksum is recalculated

 

TEST 1

ICMP Error Inspection disabled

C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154

Trasa śledzenia do xxxxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30

1 2 1 ms 1 ms 1 ms gw.chr26.1000lecie.pl [195.177.84.1]
3 3 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 5 4 ms 4 ms 8 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 2 ms 1 ms 1 ms 87.204.225.43
7 3 ms 3 ms 3 ms ns2.promont.iq.pl [195.43.143.2]
8 7 ms * 5 ms pub-184.146.promont.iq.pl [91.223.184.146]
9 4 ms 5 ms 4 ms xxxxxxxxxxxx [91.223.184.154]
10 4 ms 5 ms 4 ms xxxxxxxxxxx [91.223.184.154]

 

TEST 2

ICMP Error Inspection is enabled

C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154

Trasa śledzenia do xxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30

1 2 1 ms 1 ms 1 ms c3b1541.1000lecie.pl [195.177.84.1]
3 2 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 5 2 ms 2 ms 1 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 2676 ms * * 87.204.225.43
7 3 ms 3 ms 4 ms ns2.promont.iq.pl [195.43.143.2]
8 * * * Upłynął limit czasu żądania.
9 * * * Upłynął limit czasu żądania.
10 5 ms 4 ms 4 ms xxxxxxxxxxxx [91.223.184.154]

icmp-inspection-1.PNG

We see “* * *” on node 8 and 9  because there is no nat for intermediate nodes. Below with natting for node 9.

C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154

Trasa śledzenia do xxxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30

1 2 1 ms 1 ms 1 ms gw.chr26.1000lecie.pl [195.177.84.1]
3 2 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 1 ms 1 ms ge0-0-1-50.r1.1000lecie.pl [195.177.64.5]
5 4 ms 1 ms 1 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 45 ms 2 ms 2 ms 87.204.225.43
7 3 ms 3 ms 4 ms ns2.promont.iq.pl [195.43.143.2]
8 * * * Upłynął limit czasu żądania.
9 6 ms 10 ms 4 ms xxxxxxxxxxxx [91.223.184.157]
10 4 ms 4 ms 4 ms xxxxxxxxxxxx [91.223.184.154]

Śledzenie zakończone.

 

dzbanek 2013-03-11