Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
2
Replies

IOS Firewall (CBAC) + Path MTU Discovery

Go to solution
mbrown
Level 1
Level 1

‎08-27-2006 02:17 PM - edited ‎03-09-2019 04:01 PM

I was just reading through the 12.2T CBAC documentation and saw the section on icmp inspection and how it wildcards the outside IP because any hop could return with time-exceeded and destination-unreachable replies.

Seeing that made me wonder if this were true for TCP as well, especially in situations that involve Path MTU Discovery. If an internal system initiates an outbound TCP connection that's inspected by the IOS FW, and some external host replies with an ICMP Fragmentation Needed but DF Bit Set message, will the router consider this part of the session and pass it along to the internal host?

Thanks in advance.

-Mason

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10

‎08-27-2006 07:39 PM

Mason,

ICMP inspection by CBAC doesn't include 'packet-too-big' packets. Hence, you need to explicitly permit those packets in your ACL for PMTUD to work as the router wouldn't consider these packets to be part of the TCP session and drop them.

Check out the link below for the ICMP packet types supported by CBAC.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

HTH,

Sundar

View solution in original post

0 Helpful
2 Replies 2

Go to solution
sundar.palaniappan
Level 10
Level 10

‎08-27-2006 07:39 PM

Mason,

ICMP inspection by CBAC doesn't include 'packet-too-big' packets. Hence, you need to explicitly permit those packets in your ACL for PMTUD to work as the router wouldn't consider these packets to be part of the TCP session and drop them.

Check out the link below for the ICMP packet types supported by CBAC.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

HTH,

Sundar

0 Helpful

Go to solution
mbrown
Level 1
Level 1
In response to sundar.palaniappan

‎08-28-2006 07:15 AM

Yep, thanks for the link and the info.

I guess I was so surprised at the intelligence of ICMP inspection (wildcard return packets for TTL exceeded, etc) that I built up my expectations that this might be carried over into TCP and UDP sessions.

Thanks again!

-Mason

0 Helpful
Customers Also Viewed These Support Documents