Re: Turn off ICMP to outside interface of 3020 Concentrator?

lhoyle · ‎08-17-2005

Our security geeks want to know if I can turn off ICMP to our outside interface. The don't want any outsiders to hit us with a ping sweep or ping attack.

BTW, I am an "infrastructure" geek ;-)

Thanks!

jackko · ‎08-17-2005

in order to protect the concentrator from dos attack, the concentrator should be deployed behind a firewall with nat as well as acl permitting the required protocol and port e.g. udp 500.

the firewall should be capable to secure the concentrator from dos attack etc. it's probably too late to stop the attack once the attack hits the concentrator.

bogdahnt · ‎08-17-2005

Hi Lewis,

under Configuration > interfaces > public interface is a filter assigned to this interface. This filter you can configure for your needs.

Under configuration -> policy management -> traffic management -> filters you can assign rules for your filter for the public interface. Here you can remove the ICMP rule from the current rules in filter to disallow ICMP.

Hope that helps and brgds

Thomas.

shijogeorge · ‎08-18-2005

Hi,

As IPSec do PMTUD for all the packets, it is important that ICMP "unreachable" (Type: 3) messages are able to reach the concentrator.

Would suggest allowing this as well as ICMP "time exceeded" message (Type: 11) rather than blocking full ICMP.

Regards,

Shijo George

.

lhoyle · ‎08-18-2005

Thanks to for all the help!