Using packet-tracer for validating ICMP traffic


TCP and UDP being statefully inspected by default, you just have to run the packet-tracer on the source interface and you can be sure the return traffic will be allowed through.  With ICMP, it’s a different story.

Because the ASA does not statefully inspect ICMP  packets (by default) you have to vouch for the return packets as well. So you’ll be running two packet-tracer commands to verify that ICMP packets go through and come back.

So here’s how you verify ICMP echo and echo-reply using packet-tracer;

For verifying echo packets, type=8 code=0

packet-tracer input inside icmp 10.1.1.2 8 0 172.21.1.2 detailed

For verifying echo-reply packets, type=0 code=0

packet-tracer input outside icmp 172.21.1.2 0 0 10.1.1.2 detailed

Here’s a wiki link for ICMP types and codes that you can use to check the type of ICMP packet that you are expecting to see on the interfaces.

Advertisements

2 thoughts on “Using packet-tracer for validating ICMP traffic

  1. i am new to network security and find your notes simple and straight to the point. thank you for making things simple. wish you luck on your journey to the ccie

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s