ICMP traffic and Cisco firewall rules.
By default ICMP being stateless protocol will be dropped by your Cisco PIX/ASA firewall.
Therefore to permit bidirectional ICMP you will need to
1. create an access-list for reply traffic
example to allow return traffic for icmp initiated from inside the network:
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any source-quench
access-list outside extended permit icmp any any unreachable
access-list outside extended permit icmp any any time-exceeded
or
example to allow return traffic for icmp initiated from inside the network:
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any source-quench
access-list outside extended permit icmp any any unreachable
access-list outside extended permit icmp any any time-exceeded
or
2. add the following command in version 7 and above
inspect icmp
inspect icmp
No comments:
Post a Comment