Pages

Monday 7 May 2012


ICMP traffic and Cisco firewall rules.
By default ICMP being stateless protocol will be dropped by your Cisco PIX/ASA firewall.
Therefore to permit bidirectional ICMP you will need to

1. create an access-list for reply traffic
example to allow return traffic for icmp initiated from inside the network:
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any source-quench
access-list outside extended permit icmp any any unreachable
access-list outside extended permit icmp any any time-exceeded
or

2. add the following command in version 7 and above
inspect icmp

No comments:

Post a Comment