Jeremy, I think this is due to the behavior of the PIX/ASA code in versions 7 and later. Cisco turned on ICMP Inspection by default and this only permits one ICMP response packet before closing the connection automatically, thus you see all of the build/teardown activity.
I am pulling this from the Cisco ASA and PIX Firewall Handbook (older one covering Version 7 code). They give an example of a system without ICMP Inspection that permits unsolicited ICMP traffic in the form of ICMP echo responses without first having an ICMP echo request. So it seems that in order to get better security, you have to deal with more logging. This does not explain much, but references the same information: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1541255 -Nate On Fri, 10 Dec 2010, Jeremy Charles wrote: > My Google-fu is coming up empty on this one, so I'm wondering if any of you > have encountered this and/or been able to deal with it... > > The Cisco firewall products I've previously used (including PIXes several > years ago and currently an FWSM 3.2(18)) logged ICMP echo-request/echo > "connections" just like any other "connection." They generated one log entry > when the series of pings started, and then another log entry when the series > of pings ended. Like this: > > Dec 10 2010 09:23:50: %FWSM-6-302020: Built outbound ICMP connection for > faddr 64.62.173.39/1024 gaddr 216.165.132.252/30981 laddr 10.6.204.220/8 > Dec 10 2010 09:23:56: %FWSM-6-302021: Teardown ICMP connection for faddr > 64.62.173.39/1024 gaddr 216.165.132.252/30981 laddr 10.6.204.220/8 > > For some reason, our new ASA 8.2(2) is logging a connection build/teardown > sequence for each and every echo-request/echo combination that goes through, > as shown below. Has anyone figured out a way to get the ASA to exhibit the > logging behavior noted above instead? > > Dec 10 2010 15:19:58: %ASA-6-302020: Built outbound ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:19:58: %ASA-6-302021: Teardown ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:19:59: %ASA-6-302020: Built outbound ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:19:59: %ASA-6-302021: Teardown ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:20:00: %ASA-6-302020: Built outbound ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:20:00: %ASA-6-302021: Teardown ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:20:01: %ASA-6-302020: Built outbound ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > Dec 10 2010 15:20:01: %ASA-6-302021: Teardown ICMP connection for faddr > 199.204.56.2/0 gaddr 199.204.56.15/57035 laddr 10.6.204.220/1024 > > > === > Jeremy Charles > Epic - Computer and Technology Services Division > [email protected] > > Phone: 608-271-9000 Fax: 608-271-7237 > > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
