Cisco ASA Series Configuration Manual page 55
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 4
Access Rules
If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the
ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types,
you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.
We recommend that you always grant permission for the ICMP unreachable message type (type 3).
Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and
PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process. See
RFC 1195 and RFC 1435 for details about path MTU discovery.
Procedure
Create rules for ICMP traffic.
Step 1
icmp {permit | deny} {host ip_address | ip_address mask | any}
[icmp_type] interface_name
If you do not specify an icmp_type, the rule applies to all types. You can enter the number or the name.
To control ping, specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA).
For the address, you can apply the rule to any address, to a single host, or to a network (ip_address
mask).
Create rules for ICMPv6 (IPv6) traffic.
Step 2
ipv6 icmp {permit | deny} {host ipv6_address | ipv6-network/prefix-length | any}
[icmp_type] interface_name
If you do not specify an icmp_type, the rule applies to all types.
For the address, you can apply the rule to any address, to a single host, or to a network
(ipv6-network/prefix-length).
(Optional.) Set rate limits on ICMP Unreachable messages so that the ASA will appear on trace route
Step 3
output.
icmp unreachable rate-limit rate burst-size size
Example
hostname(config)# icmp unreachable rate-limit 50 burst-size 1
The rate limit can be 1-100, with 1 being the default. The burst size is meaningless, but must be 1-10.
Increasing the rate limit, along with enabling the set connection decrement-ttl command in a service
policy, is required to allow a traceroute through the ASA that shows the ASA as one of the hops. For
example, the following policy decrements the time-to-live (TTL) value for all traffic through the ASA.
class-map global-class
match any
policy-map global_policy
class global-class
set connection decrement-ttl
Examples
The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside
interface:
hostname(config)# icmp deny host 10.1.1.15 inside
hostname(config)# icmp permit any inside
Cisco ASA Series Firewall CLI Configuration Guide
Configure Access Control
4-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
