Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

IOS Firewall (CBAC) + Path MTU Discovery

I was just reading through the 12.2T CBAC documentation and saw the section on icmp inspection and how it wildcards the outside IP because any hop could return with time-exceeded and destination-unreachable replies.

Seeing that made me wonder if this were true for TCP as well, especially in situations that involve Path MTU Discovery. If an internal system initiates an outbound TCP connection that's inspected by the IOS FW, and some external host replies with an ICMP Fragmentation Needed but DF Bit Set message, will the router consider this part of the session and pass it along to the internal host?

Thanks in advance.

-Mason

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IOS Firewall (CBAC) + Path MTU Discovery

Mason,

ICMP inspection by CBAC doesn't include 'packet-too-big' packets. Hence, you need to explicitly permit those packets in your ACL for PMTUD to work as the router wouldn't consider these packets to be part of the TCP session and drop them.

Check out the link below for the ICMP packet types supported by CBAC.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

HTH,

Sundar

2 REPLIES

Re: IOS Firewall (CBAC) + Path MTU Discovery

Mason,

ICMP inspection by CBAC doesn't include 'packet-too-big' packets. Hence, you need to explicitly permit those packets in your ACL for PMTUD to work as the router wouldn't consider these packets to be part of the TCP session and drop them.

Check out the link below for the ICMP packet types supported by CBAC.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b0d.html

HTH,

Sundar

New Member

Re: IOS Firewall (CBAC) + Path MTU Discovery

Yep, thanks for the link and the info.

I guess I was so surprised at the intelligence of ICMP inspection (wildcard return packets for TTL exceeded, etc) that I built up my expectations that this might be carried over into TCP and UDP sessions.

Thanks again!

-Mason

230
Views
0
Helpful
2
Replies
CreatePlease to create content