Using packet-tracer for validating ICMP traffic

TCP and UDP being statefully inspected by default, you just have to run the packet-tracer on the source interface and you can be sure the return traffic will be allowed through.  With ICMP, it’s a different story.

Because the ASA does not statefully inspect ICMP  packets (by default) you have to vouch for the return packets as well. So you’ll be running two packet-tracer commands to verify that ICMP packets go through and come back.

So here’s how you verify ICMP echo and echo-reply using packet-tracer;

For verifying echo packets, type=8 code=0

packet-tracer input inside icmp 8 0 detailed

For verifying echo-reply packets, type=0 code=0

packet-tracer input outside icmp 0 0 detailed

Here’s a wiki link for ICMP types and codes that you can use to check the type of ICMP packet that you are expecting to see on the interfaces.

2 thoughts on “Using packet-tracer for validating ICMP traffic

  1. i am new to network security and find your notes simple and straight to the point. thank you for making things simple. wish you luck on your journey to the ccie

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s