05-29-2009 02:24 PM - edited 03-11-2019 08:37 AM
Hi All,
I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN.
I enter the following commands on the ASA:
access-list 105 extended deny icmp any any
class-map ICMP
match access-list 105
policy-map ICMP
class ICMP
service-policy ICMP interface INSIDE
I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.
Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS?
Thank you!
Federico.
05-29-2009 05:11 PM
Those command are not doing anything.
You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp.
The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.
example:
access-list inside-acl deny icmp any any
access-list inside-acl permit ip any any
access-group inside-acl in int inside
I hope this helps.
05-30-2009 09:42 AM
Great Thank you!
What if I want to permit ICMP PING packets but only of certain size?
Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?
Thank you!
06-01-2009 04:42 AM
Presently I do not see a way to achieve this in the ASA/PIX or FWSM platform.
You can however do this for dns inspection.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide