https://community.cisco.com/t5/network-security/cbac-icmp-inspection/m-p/2438060#M267376 <P>Hey guys,</P><P>Can any one tell me whether CBAC can inspect the ICMP traffic or not.</P><P>According to CISCO configuration guide it cannot inspect non IP traffic following is mentioned in the cisco configuration guide (<STRONG>Data Plane Configuration Guide Context-Based Access Control Firewall</STRONG> ) for CBAC .</P><P>"<STRONG>Supports only TCP and UDP IP protocol traffic. Other IP traffic, such as Internet Control Message Protocol (ICMP), is not inspected by CBAC and should be filtered with basic access lists</STRONG>".</P><P>But following command allow the ICMP inspection.</P><P>When i ping from my window machine attached to cloud R2 and R3 reply the ping packet:-</P><P>R1(config)#access-list 101 deny ip any any</P><P>R1(config)#ip inspect name CBAC icmp</P><P>R1(config)#interface FastEthernet0/0<BR />R1(config-if)# ip inspect CBAC out<BR />R1(config-if)# ip access-group 101 in<BR />&nbsp;</P> Tue, 12 Mar 2019 04:06:23 GMT pankaj kumar 2019-03-12T04:06:23Z https://community.cisco.com/t5/network-security/cbac-icmp-inspection/m-p/2438060#M267376 <P>Hey guys,</P><P>Can any one tell me whether CBAC can inspect the ICMP traffic or not.</P><P>According to CISCO configuration guide it cannot inspect non IP traffic following is mentioned in the cisco configuration guide (<STRONG>Data Plane Configuration Guide Context-Based Access Control Firewall</STRONG> ) for CBAC .</P><P>"<STRONG>Supports only TCP and UDP IP protocol traffic. Other IP traffic, such as Internet Control Message Protocol (ICMP), is not inspected by CBAC and should be filtered with basic access lists</STRONG>".</P><P>But following command allow the ICMP inspection.</P><P>When i ping from my window machine attached to cloud R2 and R3 reply the ping packet:-</P><P>R1(config)#access-list 101 deny ip any any</P><P>R1(config)#ip inspect name CBAC icmp</P><P>R1(config)#interface FastEthernet0/0<BR />R1(config-if)# ip inspect CBAC out<BR />R1(config-if)# ip access-group 101 in<BR />&nbsp;</P> Tue, 12 Mar 2019 04:06:23 GMT https://community.cisco.com/t5/network-security/cbac-icmp-inspection/m-p/2438060#M267376 pankaj kumar 2019-03-12T04:06:23Z https://community.cisco.com/t5/network-security/cbac-icmp-inspection/m-p/2438061#M267379 <P>Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed.</P><P>&nbsp;ICMP Packet Types Supported by CBAC:</P><P>Echo Reply,Destination Unreachable,Echo Request,Time Exceeded,Timestamp Request,Timestamp Reply&nbsp;</P><P>&nbsp;</P><P>Refer <A href="http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_protocol_cbac_fw/configuration/15-2mt/sec-prot-cbac-fw-15-2mt-book/sec-prot-fw-state-icmp.html">this document</A>.</P><P>&nbsp;</P><P>HTH</P><P>"Please rate helpful posts"</P> Sun, 20 Apr 2014 11:56:22 GMT https://community.cisco.com/t5/network-security/cbac-icmp-inspection/m-p/2438061#M267379 Poonam Garg 2014-04-20T11:56:22Z