cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
1
Replies

ASR1k inspection of ICMP -> ACL vs ZBF

Philippe Latu
Level 1
Level 1

Hello,

While reading the page linked below, I was surprised to see an ACL is created and never referenced in the class-map that comes afterward.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/fw-stateful-icmp.html

Is the ACL mentioning the matched protocol used by default ?

I thought I had to configure something like :

ip access-list extended ICMP-ACL

deny   icmp any any fragments

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any ttl-exceeded

permit icmp any any unreachable

deny   icmp any any

then

class-map type inspect match-all ICMP-CMAP

match access-group name ICMP-ACL

match protocol icmp

policy-map type inspect CAMPUS2DPT-PMAP

class type inspect ICMP-CMAP

  inspect INSPECT-PARAM

If anyone could point where my mistake is, I would very pleased

TIA

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

There is no mistake,

The ACL you could use it to be restrictive and just match certain ICMP traffic across your net work.

But the configuration is fine, it says match all ICMP protocol traffic that is involved with the ACL ( so an ACL hit got to happen)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

There is no mistake,

The ACL you could use it to be restrictive and just match certain ICMP traffic across your net work.

But the configuration is fine, it says match all ICMP protocol traffic that is involved with the ACL ( so an ACL hit got to happen)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: