Allowing Icmp To And From The Fwsm - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 11
Allowing Remote Management
Allowing ICMP to and from the FWSM
FWSM/contexta(config)# isakmp policy 1 authentication pre-share
FWSM/contexta(config)# isakmp policy 1 encryption 3des
FWSM/contexta(config)# isakmp policy 1 group 2
FWSM/contexta(config)# isakmp policy 1 hash sha
FWSM/contexta(config)# isakmp enable outside
FWSM/contexta(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac
FWSM/contexta(config)# isakmp key 7mfi02lirotn address 209.165.200.223
FWSM/contexta(config)# access-list TUNNEL extended permit ip host 209.165.200.225
209.165.201.0 255.255.255.224
FWSM/contexta(config)# crypto map telnet_tunnel 2 ipsec-isakmp
FWSM/contexta(config)# crypto map telnet_tunnel 1 match address TUNNEL
FWSM/contexta(config)# crypto map telnet_tunnel 1 set peer 209.165.202.129
FWSM/contexta(config)# crypto map telnet_tunnel 1 set transform-set vpn
FWSM/contexta(config)# crypto map telnet_tunnel interface outside
FWSM/contexta(config)# telnet 209.165.201.0 255.255.255.224 outside
FWSM/contexta(config)# telnet timeout 30
Allowing ICMP to and from the FWSM
By default, ICMP (including ping) is not allowed to an FWSM interface (or through the FWSM. To allow
ICMP through the FWSM, see
Chapter 10, "Controlling Network Access with Access Control
Lists.").
ICMP is an important tool for testing your network connectivity; however, it can also be used to attack
the FWSM or your network. We recommend allowing ICMP during your initial testing, but then
disallowing it during normal operation.
See the
"Rule Limits" section on page A-5
for information about the maximum number of ICMP rules
allowed for the entire system.
To permit or deny address(es) to reach an FWSM interface with ICMP (either from a host to the FWSM,
or from the FWSM to a host, which requires the ICMP reply to be allowed back), enter the following
command:
FWSM/contexta(config)# icmp {permit | deny} {host ip_address | ip_address mask | any}
[ icmp_type ] interface_name
If you do not specify an icmp_type, all types are identified. You can enter the number or the name. To
control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the
"ICMP
Types" section on page D-9
for a list of ICMP types.
Like ACLs, the FWSM matches a packet to each icmp statement in order. You should use specific
statements first, and general statements later. There is an implicit deny at the end. For example, if you
allow all addresses first, then deny a specific address after, then that address will be unintentionally
allowed because it matched the first statement.
If you only want to allow the FWSM to ping a host (and thus allow the echo reply back to the interface),
Note
and not allow hosts to ping the FWSM, you can enable the ICMP inspection engine instead of entering
the command above. See the
"ICMP Inspection Engine" section on page
13-10.
For example, to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface, enter the
following commands:
FWSM/contexta(config)# icmp deny host 10.1.1.15 inside
FWSM/contexta(config)# icmp permit any inside
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
11-10
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
