cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1436
Views
5
Helpful
4
Replies

FWSM icmp inspection

Jacob Berger
Level 2
Level 2

i have the following config on FWSM:

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

!

what needs to be added to enable icmp inspection?

and is the above config the default ( i have a feeling some changed some settings)?

is there any special reason not to enable icmp inspect  ?

thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp

inspect icmp error

These are not enabled by default. I am not sure why they are not since they are a usual reason for problem with users testing connectivity with ICMP. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

So I am not sure why its not on by default.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp

inspect icmp error

These are not enabled by default. I am not sure why they are not since they are a usual reason for problem with users testing connectivity with ICMP. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

So I am not sure why its not on by default.

- Jouni

Thanks

are any default inspections missing in the above config?

Hi,

To my understanding this is the Default Inspection Policy

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy global_policy global

Please do remember to mark a reply as the correct answer if it answered your question.

Ask more if needed.

- Jouni

Review Cisco Networking for a $25 gift card