cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2662
Views
5
Helpful
1
Comments
Anim Saxena
Level 1
Level 1

 

Introduction

This document discuss about how to enable " icmp inspection " on FWSM an issue faced by several users.

Problem

User has the following config on FWSM:

 

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

!

 

  • What needs to be added to enable icmp inspection?
  • Are any default inspections missing in the above config?

Solution:

User would have to go to the correct configuration mode with

policy-map global_policy

class inspection_default

Then you could  enter

inspect icmp
inspect icmp error

These are not enabled by default. Also wihtout them you actually have to allow ICMP with ACLs rather than have ICMP traffic inspected.

 

The Default Inspection Policy


class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Source Discussion

This document was generated from the following discussion: FWSM icmp inspection

Comments
steven redford
Level 1
Level 1

Im having a problem with this also..

 

I type policy-map global_policy

class inspection_default

I type inpsect but its coming back as an unrecognised command ?

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: