which way is better to protect "icmp" using icmp inspect vs access lists
Posted on 2011-04-27
In some of our ASA config's we are allowing yet protecting ourselves from the misuse of ICMP but putting the following access lists on our ASA's
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any source-quench
access-list outside-in deny icmp any host < FW outside address >
I have been asked the question:
Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.
I am fairly new to the ASA's so I would appreciae your help to understand the different and the best way to secure ICMP.
We want to allow outbound ICMP requests both through the ASA out to the internet and also allow ICMP requests made on the ASA out to the internet.
I'd appreciate your input and help understanding the difference.