CIOS FIrewall 12.3 - ICMP traffic to let in?

Encountered sample code in Cisco Document ID: 5143 for configuring a site-to-site with NAT:

In this article the sample code I am refering to is in the section for Router 3640:

access-list 102 permit icmp any W.X.Y.Z unreachable
access-list 102 permit icmp any W.X.Y.Z echo-reply
access-list 102 permit icmp any W.X.Y.Z packet-too-big
access-list 102 permit icmp any W.X.Y.Z time-exceeded
access-list 102 permit icmp any W.X.Y.Z traceroute
access-list 102 permit icmp any W.X.Y.Z administratively-prohibited
access-list 102 permit icmp any W.X.Y.Z echo
access-list 102 deny ip any any log

The article states that this ACL should be applied to the outside interface.

My question is, why would I let this traffic into my network? Other Cisco documentation I have read tells me not to let certain ICMP packets inside my network. So why should I let this traffic in?

Thank you,

Who is Participating?
Jan SpringerCommented:
These are standard acceptable icmp packets.  They are *very* helpful with trouble-shooting problems.

If you're not concerned about pmtud, then consider dropping icmp fragments packets, as well.
 -> access-list 102 deny icmp any any fragments
If you get a complaint that a VPN isn't working then drop that statement.

After your last icmp statement, you want a 'deny icmp any any'.  As it stands now, you are denying all IP unless there is more of your access-list that has not been posted.
keatsconAuthor Commented:

   Do you know of any pitfalls to letting this traffic inside, even though it is helpful?
   If I am not trouble-shooting, should they be disabled? Or are you refering to trouble-shooting connectivity issues for client web sessions and the like?

   What is 'pmtud'?

  This is only part of the ACL I am working on, there are previous statements that allow other traffic in
 based on stateful inspections, CBAC?

Thank you,

Jan SpringerCommented:
I strongly recommend not turning off icmp completely.  You have done the right thing by allowing only specific types of icmp packets into the network.

And, yes, you may need that someday.

PMTUD is path MTU discovery.   It is for determining the maximum transmission unit size on the network path between two IP hosts with a view to avoiding IP fragmentation.

You can also rate-limit the amount of icmp traffic you get on an inbound link, too.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.