Introduction
This document discuss about how to enable " icmp inspection " on FWSM an issue faced by several users.
Problem
User has the following config on FWSM:
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!
- What needs to be added to enable icmp inspection?
- Are any default inspections missing in the above config?
Solution:
User would have to go to the correct configuration mode with
policy-map global_policy
class inspection_default
Then you could enter
inspect icmp
inspect icmp error
These are not enabled by default. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.
The Default Inspection Policy
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Source Discussion
This document was generated from the following discussion: FWSM icmp inspection
