While ICMP is a very useful tool for debugging network connectivity
issues, it can also be used by intruders to map private networks. Armed with
the information provided by ICMP replies, intruders may attempt targeted
attacks on critical network resources. For this reason, many network
administrators configure routers and firewalls to block all ICMP packets from
entering the private network. The downside to blocking all ICMP packets is
that, while it keeps intruders from using ICMP, it also takes away a valuable
network troubleshooting tool.
Cisco routers using IOS releases 12.2(11)YU and greater with the IOS
Firewall feature set, contain the ability to perform stateful inspection of
ICMP packets. This feature enables the router to trust ICMP packets generated
from inside the private network and permit their associated replies while
blocking other possibly malicious ICMP packets.
Although Cisco IOS
routers can be configured to selectively allow certain ICMP packets through the
router, the network administrator must still determine which messages are
potentially malicious and which are not.
Stateful inspection of ICMP
packets is limited to the most common types of ICMP messages used by network
administrators to debug network connectivity issues. ICMP messages that do not
provide useful troubleshooting services will not be allowed. The table in
Figure
identifies the
IOS Firewall-supported ICMP packet types.
ICMP packet types 0 and 8 are
used for pinging where the source sends out an Echo Request packet, and the
destination responds with an Echo Reply packet. ICMP packet types 0, 8, and 11
are used for ICMP traceroute where Echo Request packets are sent out starting
with a time-to-live (TTL) packet of 1, and the TTL is incremented for each hop.
The intermediate hops respond to the Echo Request packet with a Time Exceeded
packet and the final destination responds with an Echo Reply packet.
ICMP
stateful inspection is explicitly enabled using the ip inspect
name inspection-name icmp (global) command. The syntax
of the ip inspect name inspection-name icmp
command for ICMP packet inspection is shown in Figure
. To
troubleshoot ICMP inspection, perform the following optional steps in Figure
.