Was thinking about this yesterday night, so i woke up early today to try and look into this. I think i have a fair understanding of the Pix/Asa firewall features, but the IOS firewall has always intruiged me. So i set out to learn this. Here’s what i found.
ICMP inspection in simple words is like Area 51 : anyone going out from the inside can, but others are’nt allowed to waltz in.Ok, bad example! ICMP feature just like any “inspect” feature in the IOS firewall allows STATEFUL PACKET INSPECTION. By this what i mean is that it not only does the filtering or inspection based on the source and destination IP and ports, but it also maintains a STATE table for matching the packets flowing in. This state table has entries for every packet that goes out. Various parameters are entered into the state table like : Source IP, Destination IP, Session Timeout, etc.
Ok, so now we’re clear that when packets (ICMP) hit the IOS firewall from the Inside interface , if ICMP inspect is enabled on the router then the IOS opens an ICMP inspection session for the echo-replies which are expected to arrive. It gives a window time of 10 seconds for the session, meaning that all the replies have to come within 10 seconds of the echo-request going out. This is obviously done to prevent attacks. (ping sweeps, etc ).
If an echo-reply arrives on the outside interface of the router, it checks the following conditions :
1) Is there an active ICMP session.
2) Match the destination IP address in the echo-reply packet to the “source” address in the State table.
3) If matched, then the source IP address int the echo-reply packet is matched to the destination IP address of the corresponding session in the state table.
4) If both the above conditions match, the icmp echo-reply is permitted in.
5) If there is no active session found in the state table, then the IOS checks if there’s a inbound ACL on the outside interface. If this ACL blocks the traffic, the ICMP packets are blocked.
So if an ICMP echo-request arrives on the outside interface, there will obviously be no session matching it. Hence the Icmp packet will be dropped.
Also note that echo-request and reply are’nt the only 2 types of ICMP messages which are inspected by CBAC ( IOS firewall ). It also inspects the following ICMP messages :
- Time exceeded ( useful for traceroute)
- Unreachable
- Timestamp request
- Timestamp reply
LAB :
ICMP Inspection lab topology
R0 , R1 and R2 are 3 2691 routers running IOS 12.4(13)b AdvEnterprise. The IP addressing has been done according to the diagram and there’s a DENY ANY ANY access-list at the fa0/1 interface of R0. This basically blocks all traffic coming from outside, unless and untill matched by the CBAC inspection engine.
CONFIGURATION:
The command to turn on ICMP inspection is as follows :
(config )# ip inspect name inspection-name icmp [alert {on | off}] [audit-trail {on |off}] [timeout seconds]
inspection-name : Name of the CBAC inspection entry
icmp : It’s the protocol to be inspected. Here it’s ICMP. It can be udp, tcp, etc.
alert : You can enable or disable alerts to be displayed as when when inspections happen
audit-trail : Enable or disable audit-trail. By default it’s disabled.
timeout : This can over-ride the default session timeout of 10 seconds .
To enable the inspection , we have to apply this on the inbound direction at the inside interface of R0. This will start the inspection .
(config) # ip inspect inspection-name <in/out>
in/out : direction in which you want to monitor traffic. in – coming into the router.
I will post the tests and debugs in a while.
How are your studies going ?
