Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 255
  • Last Modified:

CIOS FIrewall 12.3 - ICMP traffic to let in?

Encountered sample code in Cisco Document ID: 5143 for configuring a site-to-site with NAT:

In this article the sample code I am refering to is in the section for Router 3640:

access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 unreachable
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 echo-reply
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 packet-too-big
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 time-exceeded
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 traceroute
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 administratively-prohibited
access-list 102 permit icmp any W.X.Y.Z 0.0.0.255 echo
access-list 102 deny ip any any log

The article states that this ACL should be applied to the outside interface.

My question is, why would I let this traffic into my network? Other Cisco documentation I have read tells me not to let certain ICMP packets inside my network. So why should I let this traffic in?

Thank you,

Mike  
0
keatscon
Asked:
keatscon
  • 2
1 Solution
 
Jan SpringerCommented:
These are standard acceptable icmp packets.  They are *very* helpful with trouble-shooting problems.

If you're not concerned about pmtud, then consider dropping icmp fragments packets, as well.
 -> access-list 102 deny icmp any any fragments
If you get a complaint that a VPN isn't working then drop that statement.

After your last icmp statement, you want a 'deny icmp any any'.  As it stands now, you are denying all IP unless there is more of your access-list that has not been posted.
0
 
keatsconAuthor Commented:
Jesper,

   Do you know of any pitfalls to letting this traffic inside, even though it is helpful?
   If I am not trouble-shooting, should they be disabled? Or are you refering to trouble-shooting connectivity issues for client web sessions and the like?

   What is 'pmtud'?

  This is only part of the ACL I am working on, there are previous statements that allow other traffic in
 based on stateful inspections, CBAC?

Thank you,

Mike
0
 
Jan SpringerCommented:
I strongly recommend not turning off icmp completely.  You have done the right thing by allowing only specific types of icmp packets into the network.

And, yes, you may need that someday.

PMTUD is path MTU discovery.   It is for determining the maximum transmission unit size on the network path between two IP hosts with a view to avoiding IP fragmentation.

You can also rate-limit the amount of icmp traffic you get on an inbound link, too.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now