Configure Cisco IOS Firewall Context-Based Access Control
Define inspection rules for ICMP

While ICMP is a very useful tool for debugging network connectivity issues, it can also be used by intruders to map private networks. Armed with the information provided by ICMP replies, intruders may attempt targeted attacks on critical network resources. For this reason, many network administrators configure routers and firewalls to block all ICMP packets from entering the private network. The downside to blocking all ICMP packets is that, while it keeps intruders from using ICMP, it also takes away a valuable network troubleshooting tool.

Cisco routers using IOS releases 12.2(11)YU and greater with the IOS Firewall feature set, contain the ability to perform stateful inspection of ICMP packets. This feature enables the router to trust ICMP packets generated from inside the private network and permit their associated replies while blocking other possibly malicious ICMP packets.

Although Cisco IOS routers can be configured to selectively allow certain ICMP packets through the router, the network administrator must still determine which messages are potentially malicious and which are not.

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages used by network administrators to debug network connectivity issues. ICMP messages that do not provide useful troubleshooting services will not be allowed. The table in Figure identifies the IOS Firewall-supported ICMP packet types.

ICMP packet types 0 and 8 are used for pinging where the source sends out an Echo Request packet, and the destination responds with an Echo Reply packet. ICMP packet types 0, 8, and 11 are used for ICMP traceroute where Echo Request packets are sent out starting with a time-to-live (TTL) packet of 1, and the TTL is incremented for each hop. The intermediate hops respond to the Echo Request packet with a Time Exceeded packet and the final destination responds with an Echo Reply packet.

ICMP stateful inspection is explicitly enabled using the ip inspect name inspection-name icmp (global) command. The syntax of the ip inspect name inspection-name icmp command for ICMP packet inspection is shown in Figure . To troubleshoot ICMP inspection, perform the following optional steps in Figure .


Lab Activity

e-Lab Activity: Define Inspection Rules

In this activity, students will configure a router to allow all general TCP, UDP, and ICMP traffic initiated on the inside from the 10.0.0.0 network.

Web Links