Cisco ASA 5505 Configuration Manual page 681

Chapter 32 Configuring Management Access
Configuring ICMP Access
By default, you can send ICMP packets to any adaptive security appliance interface using either IPv4 or
IPv6. ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as
ICMP destination unreachable messages and informational messages like ICMP echo request and reply
messages. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path
MTU discovery.
By default, the adaptive security appliance does not respond to ICMP echo requests directed to a
broadcast address. You can protect the adaptive security appliance from attacks by limiting the addresses
of hosts and networks that are allowed to have ICMP access to the adaptive security appliance.
The adaptive security appliance only responds to ICMP traffic sent to the interface that traffic comes in
on; you cannot send ICMP traffic through an interface to a far interface.
For allowing ICMP traffic through the adaptive security appliance, see
Note
Rules."
We recommend you always grant permission for the ICMP unreachable message type (type 3). Denying
ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP
traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If you configure ICMP rules, then the adaptive security appliance uses a first match to the ICMP traffic
followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet
continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the
adaptive security appliance discards the ICMP packet and generates a syslog message. An exception is
when an ICMP rule is not configured; in that case, a permit statement is assumed.
To configure ICMP access rules, perform the following steps.
Detailed Steps
Step 1 Choose the Configuration > Device Management > Management Access > ICMP pane, click Add.
Step 2 Choose which version of IP to filter by clicking the appropriate radio button:
•
•
•
If you want to insert a rule into the ICMP table, click the rule that the new rule will precede, and click
Step 3
Insert.
The Create ICMP Rule dialog box appears in the right-hand pane.
From the ICMP Type drop-down list, choose the type of ICMP message for this rule.
Step 4
From the Interface list, choose the destination adaptive security appliance interface the rule is to be
Step 5
applied to.
In the IP Address field, do one of the following:
Step 6
•
•
From the Mask drop-down list, choose the network mask.
Step 7
OL-20339-01
Both (filters IPv4 and IPv6 traffic)
IPv4 only
IPv6 only
Add a specific IP address for the host or network.
Click Any Address and go to Step 9.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring ICMP Access
Chapter 30, "Configuring Access
32-9