- Silver, 250 points or more
This document discuss about how to enable " icmp inspection " on FWSM an issue faced by several users.
User has the following config on FWSM:
! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global
- What needs to be added to enable icmp inspection?
- Are any default inspections missing in the above config?
User would have to go to the correct configuration mode with
policy-map global_policy class inspection_default
Then you could enter
inspect icmp inspect icmp error
These are not enabled by default. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.
The Default Inspection Policy class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect smtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global
This document was generated from the following discussion: FWSM icmp inspection