Just read an article on what disallowing ICMP does to MTU path-discovery (breaks it) It causes poor web performance, and some WWW servers might be totally unavailable if the client or server can't learn the proper MTU for each other.
The debug on my Internet router shows messages like this popping up about 2-3 a second:
ICMP: dst (188.8.131.52) administratively prohibited unreachable sent to 184.108.40.206
ICMP: dst (220.127.116.11) administratively prohibited unreachable sent to 18.104.22.168
ICMP: dst (22.214.171.124) administratively prohibited unreachable sent to 126.96.36.199
ICMP: dst (188.8.131.52) administratively prohibited unreachable sent to 184.108.40.206
ICMP: dst (220.127.116.11) administratively prohibited unreachable sent to 18.104.22.168
ICMP: dst (22.214.171.124) administratively prohibited unreachable sent to 126.96.36.199
ICMP: dst (188.8.131.52) administratively prohibited unreachable sent to 184.108.40.206
Question: How to tell my 2611XM router above, to allow these ICMP messages through, and what ICMP Protocol type can I let thru my CheckPoint firewall, in order to make Path-Discovery work properly? --and not have mgmt. laugh at me when I tell them I want to 'open up ICMP'...
You might be confusing MTU with MSS (Max. Segment Size). Remember MTU is really a layer 2 concept. MSS is negotiated at a higher level within the 3-way TCP handshake. For example, this is how web servers let clients know what their MSS is and to adjust accordingly. A Path MTU problem is mostly something that happens between routers in the path, and becomes more prevalent when using added encapsulation like GRE and/or IPSEC. You can allow PMTU on your router by allowing ICMP type3 code 4 messages.
Example using an ACL:
access-list 101 permit icmp any any 3 4
Note that when you look at the running-config, IOS resolves the ICMP type and code to look like this:
permit icmp any any packet-too-big
There are some things to think about because there are known Denial of Service attacks using Path MTU. Here is one URL that discusses this type of attack:
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...