Enabling icmp inspection on FWSM

Document

Thu, 05/21/2015 - 01:08
Sep 26th, 2013
User Badges:
  • Silver, 250 points or more

Introduction

This document discuss about how to enable " icmp inspection " on FWSM an issue faced by several users.

Problem

User has the following config on FWSM:

 

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

!

 

  • What needs to be added to enable icmp inspection?
  • Are any default inspections missing in the above config?

Solution:

User would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp
inspect icmp error

These are not enabled by default. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

 

The Default Inspection Policy


class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Source Discussion

This document was generated from the following discussion: FWSM icmp inspection

Loading.
steven redford Thu, 05/21/2015 - 01:08
User Badges:

Im having a problem with this also..

 

I type policy-map global_policy

class inspection_default

I type inpsect but its coming back as an unrecognised command ?

 

 

Actions

This Document

Related Content