11-12-2009 02:50 PM - edited 03-11-2019 09:39 AM
I'm running FWSM v3.2(2). I have an allow icmp any any configured that I'm allowing my intra-net folks to ping inbound. I have a question and a scenario.
question:
does icmp any any, really mean ANY type/code of icmp?
scenario:
i've ran into an issue with my edge router.
The MTU size is set to 1400 on the edge. If a server initiates an icmp packet with a "dont frag" flag, (doing it for path mtu test) the edge sends it back to the firewall advising the packets must be fragmented (due to the mtu 1400)
heres the catch, the firewall realizing the packet was destined to a remote location and not directly to the edge router, is dropping the packet with a "no matching session"...which of course makes sense, since the destination in the original packet wasnt the router.
I'm wondering how I allow the traffic back to the source (server) when the router grabs the packet and says, "you cant move forward due to MTU 1400" and shoots it back to the firewall?
sincerely,
bruce
11-13-2009 12:08 AM
icmp any any - does cover any type/code of icmp.
have you tried enabling icmp and icmp error inspection under global policy to see if it helps your scenario.
11-15-2009 12:10 PM
I havent tried that...is that just to monitor/inspect? or is that another layer of "allowance"?
bruce
11-15-2009 10:33 PM
That's for inpsection.
11-16-2009 10:35 AM
"icmp any any time-exceeded" in an ACL if you don't have inspection or "inspect icmp error" will get you the solution.
I hope it helps.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide