07-15-2007 12:25 AM - edited 03-11-2019 03:44 AM
Hi everyone,
recently I read ios 12.4 configuration guide chapter about CBAC and what I was surprised by were the following: "Restrictions
CBAC has the following restrictions:
CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)" And right several chapters later I saw one called "Firewall Stateful Inspection of ICMP" which states that some types of ICMP can be inspected by CBAC. Isn't this a contradiction on documentation? Why two chapters of the same gude say quite opposite things?
Thanks for replies
07-15-2007 11:21 PM
Hi
Yes it is a bit confusing. I think the general comment about not supporting ICMP is meant to cover all ICMP types rather than list them out and then they say further on that there are some specific types which are supported ie. those that are generally of use in network troubleshooting
From Cisco doc
Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 29.
echo-request, echo-reply, destination unreachable, time exceeded, timestamp request, timestamp reply
HTH
Jon
07-15-2007 11:53 PM
Thanks, Jon
It's much more clear now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide