ICMP ACL Statements
Feb 04,2010 00:00 by alperen

ICMP ACL Statements

ASA prohibits ICMP traffic through the firewall by default. The last chapter covered managing ICMP traffic and specifically targeting interfaces on the PIX device. In this chapter, you learn about Access-List options used to allow specific ICMP traffic to pass through the PIX Firewall.

Use the following form of the access-list command to allow specific ICMP traffic. The any and host keywords are implemented the same as in IOS ACLs. Use the no form of the command to remove the ACL entry. The basic syntax is

pix(config)# access-list acl_id {deny | permit} icmp {source_addr | local_addr}
{source_mask | local_mask} {dest_addr | remote_addr} {dest_mask | remote_mask}
icmp_type

icmp_type

Non-IPSec implementations only: to permit or deny specific ICMP message types. See the following table for a list of message types.

 

No ICMP types are supported for use with IPSec.

The following table lists possible ICMP type values and their literal equivalents. Either form can be used, but the literal list is easier for the humans to interpret.

Type

Literal

  

Type

Literal

0

echo-reply

  

12

parameter-problem

3

unreachable

  

13

timestamp-reply

4

source-quench

  

14

timestamp-request

5

redirect

  

15

information-request

6

alternate-address

  

16

information-reply

8

echo

  

17

mask-request

9

router-advertisement

  

18

mask-reply

10

router-solicitation

  

31

conversion-error

11

time-exceeded

  

32

mobile-redirect

The following example creates three static mapping for servers, allows three types of ICMP messages, and then allows outside access to the server global addresses.

Pix(config)# static (dmz,outside) 1.1.1.3 192.168.2.3 netmask 255.255.255.255
Pix(config)# static (dmz,outside) 1.1.1.4 192.168.2.4 netmask 255.255.255.255
Pix(config)# static (dmz,outside) 1.1.1.5 192.168.2.5 netmask 255.255.255.255
Pix(config)# access-list 101 permit icmp any any echo-reply
Pix(config)# access-list 101 permit icmp any any time-exceeded
Pix(config)# access-list 101 permit icmp any any unreachable
Pix(config)# access-list 101 permit tcp any host 1.1.1.3 eq www
Pix(config)# access-list 101 permit tcp any host 1.1.1.4 eq ftp
Pix(config)# access-list 101 permit tcp any host 1.1.1.5 eq smtp
Pix(config)# access-group 101 in interface outside