SORRY FOR THE TYPO IN THE LAST PARAGRAPH - corrected. On 14 February 2012 19:07, Peter Debye <[email protected]> wrote: > Let me tell you guys that ICMP error packet inspection is an inherent > part of the asa security algorithm, and is ALWAYS performed on these > packets whether "inspect icmp error" is enabled or not. > (that is why I'd prefer the older "fixup icmp error" term as less confusing.) > > When asa receives the icmp error packet it should first check whether > this one can be mathed with the established flow or not. In other words, > whether this packet comes back in response to a real offending packet seen > by asa or it is a spoofed one. For this the first check is always to > look inside the icmp error payload and try to match the IPs inside it > with an existing xlate > slot. This is done irrespective of "inspect icmp error". If the slot is found > then the icmp payload will be fixed (doctored) in accord with it: e.g., the > source IP of the enacapsulated offending packet header will be changed. > > The second step now depends on the config of the "inspect icmp err": > - if NOT enabled then the source IP of the ICMP packet itself is also changed > in accord with the xlate slot. This is also part of the asa security algo: > all inside hosts' src IPs will show as if sent by final host. This way > the internal path is hidden from the tracer. In the trace output you will > then normally see several lines with the same IP. > But if "inspect icmp err" is enabled, this step is omitted, and the > intermediate hosts' src IPs are seen in clear. > > cheers. > ============================================== > > > > ---------------------------------------------------------------------- > > Date: Tue, 14 Feb 2012 21:44:01 +0530 > From: Kingsley Charles <[email protected]> > To: Joe Astorino <[email protected]> > Cc: OSL Security <[email protected]> > Subject: Re: [OSL | CCIE_Security] inspect icmp error > Message-ID: > <CAHs0B04SX38kFcGXK=fzj8d5g4yy6yvbkfdxpxjxvqadqn0...@mail.gmail.com> > Content-Type: text/plain; charset="windows-1252" > > The inspect icmp error enables the ASA to look into the ICMP payload. > > The NAT rules looks the l3 header alone and translate it. > > With regards > Kings > > > On Tue, Feb 14, 2012 at 9:33 PM, Joe Astorino > <[email protected]>wrote: > >> Well I must say, I have labbed this up and I am utterly confused : ) >> You are absolutely correct, I am just not clear on how this works. >> Specifically: >> >> - When the inspect icmp error feature is DISABLED, what happens is the >> ICMP error coming back to R2 is sourced from R1's Fa0/0 interface IP >> despite the fact that there is a static NAT for it. How is this possible? >> Why doesn't the static nat come into play by default and translate R1 >> Fa0/0 IP to the global IP for the ICMP destination unreachable message? >> >> >> On Tue, Feb 14, 2012 at 4:06 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Joe _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
