Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
5
Helpful
1
Replies

Most I deny packets icmp

pgarron
Level 1
Level 1

‎01-24-2003 03:00 PM - edited ‎03-02-2019 04:31 AM

Is it important to deny some type of icmp packets ICMP in my ACL in ?

Labels:
0 Helpful
1 Reply 1

steve.barlow
Level 7
Level 7

‎01-25-2003 11:09 AM

It really depends on where you are doing your filtering. If it connects you to the internet, I would deny all icmp except echo-reply (also unreachable and time-exceeded if you want traceroute) inbound, allows you to ping out but no one can ping in. If the device allows VPNs in, you willl need to allow "Destination Unreachable" as well (Type 3 Code 4) for Tunnel MTU Discovery (End-to-end MTU discovery uses Internet Control Message Protocol (ICMP) messages to determine the maximum MTU that a host can use to send a packet through the VPN tunnel without causing fragmentation).

If it's an internal router/firewall, you could allow echo both directions (and also source-quench). But generally, deny everything except what you need. ICMP is considered a security risk, that's why I would deny all icmp inbound from the internet (except as I mentioned before maybe echo-reply, but even that probably should be denied in the absence of any real need).

Hope it helps.

Steve

Customers Also Viewed These Support Documents