Help with Application Inspection on ASA

Unanswered Question
May 29th, 2009
User Badges:

Hi All,


I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN.

I enter the following commands on the ASA:


access-list 105 extended deny icmp any any


class-map ICMP

match access-list 105


policy-map ICMP

class ICMP


service-policy ICMP interface INSIDE


I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.

Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS?


Thank you!

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Fri, 05/29/2009 - 17:11
User Badges:
  • Cisco Employee,

Those command are not doing anything.


You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp.


The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.


example:


access-list inside-acl deny icmp any any

access-list inside-acl permit ip any any


access-group inside-acl in int inside


I hope this helps.



fedecotof Sat, 05/30/2009 - 09:42
User Badges:

Great Thank you!


What if I want to permit ICMP PING packets but only of certain size?


Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?


Thank you!

Actions

This Discussion