Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1435
Views
5
Helpful
4
Replies

FWSM icmp inspection

Go to solution
Jacob Berger
Level 2
Level 2

‎09-17-2013 03:45 AM - edited ‎03-11-2019 07:39 PM

i have the following config on FWSM:

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

!

what needs to be added to enable icmp inspection?

and is the above config the default ( i have a feeling some changed some settings)?

is there any special reason not to enable icmp inspect  ?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-17-2013 04:00 AM

Hi,

You would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp

inspect icmp error

These are not enabled by default. I am not sure why they are not since they are a usual reason for problem with users testing connectivity with ICMP. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

So I am not sure why its not on by default.

- Jouni

View solution in original post

4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-17-2013 04:00 AM

Hi,

You would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp

inspect icmp error

These are not enabled by default. I am not sure why they are not since they are a usual reason for problem with users testing connectivity with ICMP. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

So I am not sure why its not on by default.

- Jouni

Go to solution
Jacob Berger
Level 2
Level 2
In response to Jouni Forss

‎09-17-2013 04:10 AM

Thanks

are any default inspections missing in the above config?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎09-17-2013 04:15 AM

Hi,

To my understanding this is the Default Inspection Policy



class-map inspection_default





 




 match default-inspection-traffic





 




policy-map global_policy





 




 class inspection_default





 




  inspect dns maximum-length 512





 




  inspect ftp





 




  inspect h323 h225





 




  inspect h323 ras





 




  inspect rsh





 




  inspect smtp





 




  inspect sqlnet





 




  inspect skinny





 




  inspect sunrpc





 




  inspect xdmcp





 




  inspect sip





 




  inspect netbios





 




  inspect tftp





 




service-policy global_policy global

Please do remember to mark a reply as the correct answer if it answered your question.

Ask more if needed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card