ICMP Inspecition tracks ICMP traffic so replies are only allowed when they match a request(one request-one reply).
ASA create something like tcp session but for ICMP. It scans ICMP for source and destination address,icmp type, identification number and sequence number.
EXAMPLE1
ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3429 seq=1 len=56
ICMP echo request translating inside:10.10.1.10/3429 to outside:91.223.184.147/31611
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=31611 seq=1 len=56
ICMP echo reply untranslating outside:91.223.184.147/31611 to inside:10.10.1.10/3429
EXAMPLE2
ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3480 seq=1 len=56
ICMP echo request translating inside:10.10.1.10/3480 to outside:91.223.184.147/14000
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=14000 seq=1 len=56
ICMP echo reply untranslating outside:91.223.184.147/14000 to inside:10.10.1.10/3480
ICMP echo request from inside:10.10.1.10 to outside:8.8.8.8 ID=3480 seq=2 len=56
ICMP echo request translating inside:10.10.1.10/3480 to outside:91.223.184.147/14000
ICMP echo reply from outside:8.8.8.8 to inside:91.223.184.147 ID=14000 seq=2 len=56
ICMP echo reply untranslating outside:91.223.184.147/14000 to inside:10.10.1.10/3480
ICMP Error Inspection
When ICMP Error inspection is disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP error messages. When the ASA does not translate the intermediate hops, all the intermediate hops appear with the mapped destination IP address.(see test1).
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved
five-tuple, a lookup is performed to determine the original address of the client.
The ICMP error inspection engine makes the following changes to the ICMP packet:
- In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum is modified
- In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.
- In the Payload, the following changes are made:
TEST 1
ICMP Error Inspection disabled
C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154
Trasa śledzenia do xxxxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30
1 2 1 ms 1 ms 1 ms gw.chr26.1000lecie.pl [195.177.84.1]
3 3 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 5 4 ms 4 ms 8 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 2 ms 1 ms 1 ms 87.204.225.43
7 3 ms 3 ms 3 ms ns2.promont.iq.pl [195.43.143.2]
8 7 ms * 5 ms pub-184.146.promont.iq.pl [91.223.184.146]
9 4 ms 5 ms 4 ms xxxxxxxxxxxx [91.223.184.154]
10 4 ms 5 ms 4 ms xxxxxxxxxxx [91.223.184.154]
TEST 2
ICMP Error Inspection is enabled
C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154
Trasa śledzenia do xxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30
1 2 1 ms 1 ms 1 ms c3b1541.1000lecie.pl [195.177.84.1]
3 2 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 5 2 ms 2 ms 1 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 2676 ms * * 87.204.225.43
7 3 ms 3 ms 4 ms ns2.promont.iq.pl [195.43.143.2]
8 * * * Upłynął limit czasu żądania.
9 * * * Upłynął limit czasu żądania.
10 5 ms 4 ms 4 ms xxxxxxxxxxxx [91.223.184.154]
We see “* * *” on node 8 and 9 because there is no nat for intermediate nodes. Below with natting for node 9.
C:\Program Files\PDFCreator\Images2PDF>tracert 91.223.184.154
Trasa śledzenia do xxxxxxxxx [91.223.184.154]
przewyższa maksymalną liczbę przeskoków 30
1 2 1 ms 1 ms 1 ms gw.chr26.1000lecie.pl [195.177.84.1]
3 2 ms 2 ms 2 ms vlan100-sw1.1000lecie.pl [195.177.64.49]
4 1 ms 1 ms 1 ms ge0-0-1-50.r1.1000lecie.pl [195.177.64.5]
5 4 ms 1 ms 1 ms netia.ip4.e-poludnie.pl [195.191.170.86]
6 45 ms 2 ms 2 ms 87.204.225.43
7 3 ms 3 ms 4 ms ns2.promont.iq.pl [195.43.143.2]
8 * * * Upłynął limit czasu żądania.
9 6 ms 10 ms 4 ms xxxxxxxxxxxx [91.223.184.157]
10 4 ms 4 ms 4 ms xxxxxxxxxxxx [91.223.184.154]
Śledzenie zakończone.
dzbanek 2013-03-11