ICMP
Traffic to the Firewall
ICMP traffic through the firewall isn’t allowed by default
and must be specifically allowed by creating access-list/access-group commands or conduit commands on
older IOS versions (4.x). These commands are covered in
detail in the next
chapter. Access lists, including those required to allow ICMP traffic, are
also covered in the next chapter.
On the other hand, ICMP traffic originating on or terminating at
the firewall is allowed by default. The configuration mode
command icmp controls ICMP traffic that terminates anywhere on the PIX Firewall. If no ICMP access
control list is configured, then the PIX Firewall accepts
all ICMP traffic that terminates at the interface. The key word here is
“terminates”—the firewall is the destination.
Using the icmp {permit | deny} command to allow
or block pings to an interface is referred to as configurable
proxy pinging. Use the no form of the command to remove a specific ICMP
statement, or use the clear icmp command to remove the entire
ICMP control list. The syntax is
pix(config)#icmp {permit | deny} [host] src_addr [src_mask] [type] int_name
pix(config)#no icmp {permit | deny} [host] src_addr [src_mask] [type] int_name
pix(config)#clear icmp
The following table lists possible ICMP type values and their
literal equivalents. While either form can be used with the command, the literal
is much easier to interpret for anyone who has to support the PIX device in the
future. The ? will list the acceptable options while building
the command.
It’s important to understand that creating an ICMP control list
effectively switches the firewall from accepting all ICMP traffic to all
interfaces to accepting only that traffic specifically allowed by the ICMP
statements. There is, in fact, an implicit deny any statement
similar to other ACLs. If the new packet is matched first by a permit statement,
the ICMP packet continues to be processed normally. But, if the first matched
entry is a deny statement or no matching statement exists, then the PIX Firewall
discards the ICMP packet and generates the %PIX-3-313001 Syslog message. The
Syslog message syntax is
%PIX-3-313001: Denied ICMP type=type, code=code from src_addr on
interface int_nam
To avoid unintentionally stopping IPSec and PPTP traffic when the
ICMP control list is used, create a statement that permits ICMP unreachable
(type 3) message traffic to the appropriate interface. Denying the ICMP
unreachable messages disables ICMP Path MTU discovery, which is required by
IPSec and PPTP. The next examples show the statement.
The following example denies all ping requests directed at the
outside interface and permits all unreachable messages at the outside interface.
Notice that the ACL keyword any can be used as the source
address.
pix(config)#icmp deny any echo-reply outside
pix(config)#icmp permit any unreachable outside
This next example will permit host 192.168.1.49 or hosts on the
network 192.168.2.0/24 to ping the outside interface. The last line again
permits all unreachable messages at the outside interface.
pix(config)#icmp permit host 192.168.1.49 echo-reply outside
pix(config)#icmp permit 192.168.2.0 255.255.255.0 echo-reply outside
pix(config)#icmp permit any unreachable outside
The show icmp
Command
The show icmp command displays any icmp commands in the configuration.
The debug icmp
trace Command
The debug icmp trace command shows in
real-time all icmp echo requests and replies to or through the PIX.
pix#debug icmp trace
1: Outbound ICMP echo request (len 32 id 7 seq 1004) 192.168.1.2 >
172.16.1.78 > 172.16.4.50
2: Inbound ICMP echo reply (Len 32 id 26 seq 1004) 172.16.4.50 >
172.16.1.78 > 192.168.1.2
3: Outbound ICMP echo request (Len 32 id 7 seq 1051) 192.168.1.2 >
172.16.1.78 > 172.16.4.50
4: Inbound ICMP echo reply (Len 32 id 26 seq 1051) 172.16.4.50 >
172.16.1.78 > 192.168.1.2
---- output omitted ----
Sections
Comments (0 posted)
Syndication
