Pages

Tuesday 8 May 2012

ICMP Traffic Through the Appliances

ICMP Traffic Through the Appliances


ICMP traffic is not stateful by default on the appliances.
ICMP messages by default are permitted when traveling from a higher-security-level
interface to a lower-level one.


However, ICMP traffic is denied by default from a lowersecurity- level interface to a higher-level one, even if it is an ICMP message response to a user’s ICMP query.


Typically you should allow the following ICMP message types into your network
to help provide some basic management and troubleshooting abilities for your internal
devices: echo reply, source quench, unreachable, and time exceeded.


For external devices to test connectivity to your network, you might also want to permit the ICMP echo message, but I would definitely restrict what ICMP messages Internet users can generate and what destinations in your network can receive these messages.


To allow ICMP traffic to travel from a lower-level to a higher-level interface, you
need to enable one of two things:
· Stateful processing of ICMP
· An ACL entry or entries for the ICMP messages


Starting in version 7.0 of the OS, you can enable stateful processing of ICMP trafficusing the Cisco Modular Policy Framework (MPF)


An example of the configuration to allow returning ICMP traffic:
ciscoasa(config)# object-group icmp-type icmp_traffic
ciscoasa(config-icmp-type)# icmp-object echo-reply
ciscoasa(config-icmp-type)# icmp-object source-quench
ciscoasa(config-icmp-type)# icmp-object unreachable
ciscoasa(config-icmp-type)# icmp-object time-exceeded
ciscoasa(config-icmp-type)# exit
ciscoasa(config)# object-group network ALL_servers
ciscoasa(config-network)# group-object web_servers
ciscoasa(config-network)# group-object ftp_servers
ciscoasa(config-network)# exit
ciscoasa(config)# access-list PERMIT_IN permit tcp
any object-group web_servers eq 80
ciscoasa(config)# access-list PERMIT_IN permit tcp
any object-group ftp_servers eq 21
ciscoasa(config)# access-list PERMIT_IN permit icmp
any any object-group icmp_traffic
ciscoasa(config)# access-list PERMIT_IN permit icmp
any object-group ALL_servers echo
ciscoasa(config)# access-list PERMIT_IN deny ip any any
ciscoasa(config)# access-group PERMIT_IN in interface outside


No comments:

Post a Comment