recently I read ios 12.4 configuration guide chapter about CBAC and what I was surprised by were the following: "Restrictions
CBAC has the following restrictions:
CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)" And right several chapters later I saw one called "Firewall Stateful Inspection of ICMP" which states that some types of ICMP can be inspected by CBAC. Isn't this a contradiction on documentation? Why two chapters of the same gude say quite opposite things?
Yes it is a bit confusing. I think the general comment about not supporting ICMP is meant to cover all ICMP types rather than list them out and then they say further on that there are some specific types which are supported ie. those that are generally of use in network troubleshooting
From Cisco doc
Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 29.
echo-request, echo-reply, destination unreachable, time exceeded, timestamp request, timestamp reply
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :