Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CBAC ICMP inspection

Hey guys,

Can any one tell me whether CBAC can inspect the ICMP traffic or not.

According to CISCO configuration guide it cannot inspect non IP traffic following is mentioned in the cisco configuration guide (Data Plane Configuration Guide Context-Based Access Control Firewall ) for CBAC .

"Supports only TCP and UDP IP protocol traffic. Other IP traffic, such as Internet Control Message Protocol (ICMP), is not inspected by CBAC and should be filtered with basic access lists".

But following command allow the ICMP inspection.

When i ping from my window machine attached to cloud R2 and R3 reply the ping packet:-

R1(config)#access-list 101 deny ip any any

R1(config)#ip inspect name CBAC icmp

R1(config)#interface FastEthernet0/0
R1(config-if)# ip inspect CBAC out
R1(config-if)# ip access-group 101 in
 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Stateful inspection of ICMP

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed.

 ICMP Packet Types Supported by CBAC:

Echo Reply,Destination Unreachable,Echo Request,Time Exceeded,Timestamp Request,Timestamp Reply 

 

Refer this document.

 

HTH

"Please rate helpful posts"

1 REPLY
Silver

Stateful inspection of ICMP

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed.

 ICMP Packet Types Supported by CBAC:

Echo Reply,Destination Unreachable,Echo Request,Time Exceeded,Timestamp Request,Timestamp Reply 

 

Refer this document.

 

HTH

"Please rate helpful posts"

183
Views
0
Helpful
1
Replies