Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 ICMP Inspection, ICMP Error Inspection, Instant Messaging Inspection

11-39

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter11 Configuring Inspection of Basic Internet Protocols

ICMP Inspection

–

H323 Traffic Class—Specifies the HTTP traffic class match.

–

Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class

Maps.

•Action—Drop connection, reset, or log.

•Log—Enable or disable.

ICMP Inspection

The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and

UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through

the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP

inspection engine ensures that there is only one response for each request, and that the sequence number

is correct.

ICMP Error Inspection

When this feature is enabled, the ASA creates translation sessions for intermediate hops that send ICMP

error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP

addresses.

When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP

error messages. ICMP error messages generated by the intermediate nodes between the inside host and

the ASA reach the outside host without consuming any additional NAT resource. This is undesirable

when an outside host uses the traceroute command to trace the hops to the destination on the inside of

the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with

the mapped destination IP address.

The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved

five-tuple, a lookup is performed to determine the original address of the client. The ICMP error

inspection engine makes the following changes to the ICMP packet:

•In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum

is modified.

•In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.

•In the Payload, the following changes are made:

–

Original packet mapped IP is changed to the real IP

–

Original packet mapped port is changed to the real Port

–

Original packet IP checksum is recalculated

Instant Messaging Inspection

This section describes the IM inspection engine. This section includes the following topics:

•IM Inspection Overview, page11-40

•Select IM Map, page 11-41

Cisco Systems ICMP Inspection, ICMP Error Inspection, Instant Messaging Inspection