Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ICMP and CBAC ios 12.4

Hi everyone,

recently I read ios 12.4 configuration guide chapter about CBAC and what I was surprised by were the following: "Restrictions

CBAC has the following restrictions:

CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)" And right several chapters later I saw one called "Firewall Stateful Inspection of ICMP" which states that some types of ICMP can be inspected by CBAC. Isn't this a contradiction on documentation? Why two chapters of the same gude say quite opposite things?

Thanks for replies

Hall of Fame Super Blue

Re: ICMP and CBAC ios 12.4


Yes it is a bit confusing. I think the general comment about not supporting ICMP is meant to cover all ICMP types rather than list them out and then they say further on that there are some specific types which are supported ie. those that are generally of use in network troubleshooting

From Cisco doc

Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 29.

echo-request, echo-reply, destination unreachable, time exceeded, timestamp request, timestamp reply



New Member

Re: ICMP and CBAC ios 12.4

Thanks, Jon

It's much more clear now!

CreatePlease to create content