Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question concerning ICMP allowance

I'm running FWSM v3.2(2). I have an allow icmp any any configured that I'm allowing my intra-net folks to ping inbound. I have a question and a scenario.

question:

does icmp any any, really mean ANY type/code of icmp?

scenario:

i've ran into an issue with my edge router.

The MTU size is set to 1400 on the edge. If a server initiates an icmp packet with a "dont frag" flag, (doing it for path mtu test) the edge sends it back to the firewall advising the packets must be fragmented (due to the mtu 1400)

heres the catch, the firewall realizing the packet was destined to a remote location and not directly to the edge router, is dropping the packet with a "no matching session"...which of course makes sense, since the destination in the original packet wasnt the router.

I'm wondering how I allow the traffic back to the source (server) when the router grabs the packet and says, "you cant move forward due to MTU 1400" and shoots it back to the firewall?

sincerely,

bruce

4 REPLIES

Re: question concerning ICMP allowance

icmp any any - does cover any type/code of icmp.

have you tried enabling icmp and icmp error inspection under global policy to see if it helps your scenario.

New Member

Re: question concerning ICMP allowance

I havent tried that...is that just to monitor/inspect? or is that another layer of "allowance"?

bruce

Re: question concerning ICMP allowance

That's for inpsection.

Cisco Employee

Re: question concerning ICMP allowance

"icmp any any time-exceeded" in an ACL if you don't have inspection or "inspect icmp error" will get you the solution.

I hope it helps.

PK

164
Views
0
Helpful
4
Replies