Cisco ASA/PIX/FWSM :Handling ICMP Pings and Traceroute


PIX/ASA Software Versions 7.x

Pings Inbound

Pings initiated from the outside, or another low security interface of the PIX, are denied be default. The pings can be allowed by the use of static and access lists or access lists alone. In this example, one server on the inside of the PIX is made accessible to external pings. A static translation is created between the inside address (10.1.1.5) and the outside address (192.168.1.5).

pix(config)#static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
pix(config)#access-list 101 permit icmp any host 192.168.1.5 echo
pix(config)#access-group 101 in interface outside

Pings Outbound

There are two options in PIX 7.x that allow inside users to ping hosts on the outside. The first option is to setup a specific rule for each type of echo message.

For example:

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy class inspection_default inspect icmp

Pinging Another Interface

The management-access command allows users to connect to the management-access interface from the outside ONLY when the user is connected to PIX/ASA using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel.

The inside interface of the PIX cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must be configured for the desired hosts.

pix(config)#management-access inside
pix(config)#show running-config management-access management-access inside

 


資料來源:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0
 

 

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com 標誌

您的留言將使用 WordPress.com 帳號。 登出 /  變更 )

Google photo

您的留言將使用 Google 帳號。 登出 /  變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 /  變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 /  變更 )

連結到 %s