Best Practices for configuring ICMP from the outside

bberry · ‎07-18-2012

Question,

Are there any best practices or best recommendations on how ICMP should be configured from the outside? I have been cleaning up the rules on our ASA as a lot were simply ported over years ago when we retired our PIX. I noticed that there is a rule to allow ICMP any any and began to wonder how this works when the rules above are specific IP addresses and specific ports. This in thurn started me looking to see if there was any documentation or anything to help me determine a best practice. Anyone know of anything?

As a second part how does this flow on a firewall if all the addresses are natted? It the ICMP traffic simply passed through the NAT and the destiantion simply responds?

Brent

Ramraj Sivagnanam Sivajanam · ‎07-22-2012

Here you go, bro!

http://checkthenetwork.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practices%20for%20Firewall%20Deployment%201.asp#_Toc218778855

access-list inside permit icmp any any echo

access-list inside permit icmp any any echo-reply

access-list inside permit icmp any any unreachable

access-list inside permit icmp any any time-exceeded

access-list inside permit icmp any any packets-too-big

access-list inside permit udp any any eq 33434 33464

access-list deny icmp any any log

P/S: if you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan · ‎07-22-2012

Hi,

It is not adviced to have the icmp enabled from the outside world (Internet). May be you restrict with specific IP range to be accessed. Example from the SNMP server to the hosts.

Yes for your second question... Yes through NAT this will respond as usuall. If that is one to one mapping. Else you cannot target the host if it is PAT.

please do rate if the given information helps.

by

karthik