ICMP and CBAC ios 12.4

ciscolexey · ‎07-15-2007

Hi everyone,

recently I read ios 12.4 configuration guide chapter about CBAC and what I was surprised by were the following: "Restrictions

CBAC has the following restrictions:

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)" And right several chapters later I saw one called "Firewall Stateful Inspection of ICMP" which states that some types of ICMP can be inspected by CBAC. Isn't this a contradiction on documentation? Why two chapters of the same gude say quite opposite things?

Thanks for replies

Jon Marshall · ‎07-15-2007

Hi

Yes it is a bit confusing. I think the general comment about not supporting ICMP is meant to cover all ICMP types rather than list them out and then they say further on that there are some specific types which are supported ie. those that are generally of use in network troubleshooting

From Cisco doc

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 29.

echo-request, echo-reply, destination unreachable, time exceeded, timestamp request, timestamp reply

HTH

Jon

ciscolexey · ‎07-15-2007

Thanks, Jon

It's much more clear now!