mhagen4808
asked on
which way is better to protect "icmp" using icmp inspect vs access lists
In some of our ASA config's we are allowing yet protecting ourselves from the misuse of ICMP but putting the following access lists on our ASA's
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any source-quench
access-list outside-in deny icmp any host < FW outside address >
==========================
I have been asked the question:
Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.
==========================
I am fairly new to the ASA's so I would appreciae your help to understand the different and the best way to secure ICMP.
We want to allow outbound ICMP requests both through the ASA out to the internet and also allow ICMP requests made on the ASA out to the internet.
I'd appreciate your input and help understanding the difference.
Thanks
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any source-quench
access-list outside-in deny icmp any host < FW outside address >
==========================
I have been asked the question:
Isn’t it better to inspect the icmp traffic or this is just adding unneeded overhead to the firewall.
==========================
I am fairly new to the ASA's so I would appreciae your help to understand the different and the best way to secure ICMP.
We want to allow outbound ICMP requests both through the ASA out to the internet and also allow ICMP requests made on the ASA out to the internet.
I'd appreciate your input and help understanding the difference.
Thanks
its better to inspect, but also inspecting any type of traffic defeats using the acl entries as incoming traffic is first checked against existing "sessions", before acl checking. so you should find that removing the acl permit icmp entries and adding icmp inspect, if you dont have it already, will provide the same result for inside -> internet icmp traffic.
for icmp traffic to/from the firewall itself, you need to look at the icmp command.
Another Pete!
for icmp traffic to/from the firewall itself, you need to look at the icmp command.
Another Pete!
ASKER
I wouldn't be offended if you would help me out with your statement:
for icmp traffic to/from the firewall itself, you need to look at the icmp command.
Thanks
for icmp traffic to/from the firewall itself, you need to look at the icmp command.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, sorry for not getting back to you.
This question can be closed.
This question can be closed.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Yes it is better - and the overhead is tiny :)
Remove those lines and add icmp inspection
Cisco Firewalls and PING
Pete