Solved: CBAC ICMP inspection

pankaj kumar · ‎04-19-2014

Hey guys,

Can any one tell me whether CBAC can inspect the ICMP traffic or not.

According to CISCO configuration guide it cannot inspect non IP traffic following is mentioned in the cisco configuration guide (Data Plane Configuration Guide Context-Based Access Control Firewall ) for CBAC .

"Supports only TCP and UDP IP protocol traffic. Other IP traffic, such as Internet Control Message Protocol (ICMP), is not inspected by CBAC and should be filtered with basic access lists".

But following command allow the ICMP inspection.

When i ping from my window machine attached to cloud R2 and R3 reply the ping packet:-

R1(config)#access-list 101 deny ip any any

R1(config)#ip inspect name CBAC icmp

R1(config)#interface FastEthernet0/0
R1(config-if)# ip inspect CBAC out
R1(config-if)# ip access-group 101 in

Poonam Garg · ‎04-20-2014

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed.

ICMP Packet Types Supported by CBAC:

Echo Reply,Destination Unreachable,Echo Request,Time Exceeded,Timestamp Request,Timestamp Reply

Refer this document.

HTH

"Please rate helpful posts"

View solution in original post

Poonam Garg · ‎04-20-2014

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed.

ICMP Packet Types Supported by CBAC:

Echo Reply,Destination Unreachable,Echo Request,Time Exceeded,Timestamp Request,Timestamp Reply

Refer this document.

HTH

"Please rate helpful posts"