ICMP ACL
Statements
ASA prohibits ICMP traffic through the firewall by default.
The last
chapter covered managing ICMP traffic and specifically targeting interfaces
on the PIX device. In this chapter, you learn about Access-List options used to
allow specific ICMP traffic to pass through the PIX Firewall.
Use the following form of the access-list
command to allow specific ICMP traffic. The any and host keywords are implemented the same as in IOS ACLs. Use the no
form of the command to remove the ACL entry. The basic syntax is
pix(config)# access-list acl_id {deny
| permit} icmp {source_addr | local_addr}
{source_mask | local_mask} {dest_addr | remote_addr} {dest_mask | remote_mask}
icmp_type
The following table lists possible ICMP type values and their
literal equivalents. Either form can be used, but the literal list is easier for
the humans to interpret.
The following example creates three static mapping for servers,
allows three types of ICMP messages, and then allows outside access to the
server global addresses.
Pix(config)# static (dmz,outside) 1.1.1.3 192.168.2.3 netmask 255.255.255.255
Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# static (dmz,outside) 1.1.1.5 192.168.2.5 netmask 255.255.255.255
Pix(config)# access-list 101 permit icmp any any echo-reply
Pix(config)# access-list 101 permit icmp any any time-exceeded
Pix(config)# access-list 101 permit icmp any any unreachable
Pix(config)# access-list 101 permit tcp any host 1.1.1.3 eq www
Pix(config)# access-list 101 permit tcp any host 1.1.1.4 eq ftp
Pix(config)# access-list 101 permit tcp any host 1.1.1.5 eq smtp
Pix(config)# access-group 101 in interface outside
Sections
Comments (0 posted)
Syndication
