The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Firewall Stateful Inspection of ICMP feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated within a private network and permits the entry of associated ICMP replies into the network. The Firewall Stateful Inspection of ICMP feature helps network administrators to debug network issues by using ICMP so that intruders cannot enter the network.
This module provides an overview of the firewall stateful inspection of ICMPv4 messages and describes how to configure the firewall to inspect ICMPv4 messages.
You must configure the Cisco firewall before you can configure the Firewall Stateful Inspection of ICMP feature.
The network must allow all ICMP traffic to pass through security appliance interfaces.
Access rules must be configured for ICMP traffic that terminates at a security appliance interface.
This feature does not work with the UDP traceroute utility, in which UDP datagrams are sent instead of ICMP packets. UDP traceroute is the default for UNIX systems. For a UNIX host to generate ICMP traceroute packets that are inspected by the firewall, use the “-I” option with the traceroute command.
Internet Control Management Protocol (ICMP) is a network protocol that provides information about a network and reports errors in the network. Network administrators use ICMP to debug network connectivity issues. To guard against potential intruders using ICMP to discover the topology of a private network, ICMPv4 messages can be blocked from entering a private network; however, network administrators may then be unable to debug the network.
You can configure Cisco routers to use access control lists (ACLs) to either completely allow or deny ICMPv4 messages. When using ACLs for ICMPv4 messages, message inspection has precedence over the configured allow or deny actions.
Informational messages that utilize a simple request/reply mechanism.
 Note |
To prevent ICMP attacks from using the Destination Unreachable error message, only one Destination Unreachable message is allowed per session by the firewall. A host that is processing a UDP session that is traversing the firewall may generate an ICMP error packet with a Destination Unreachable message. In such cases, only one Destination Unreachable message is allowed through the firewall for that session. |
The following ICMPv4 packet types are supported:
|
Packet Type |
Name |
Description |
|---|---|---|
|
0 |
Echo Reply |
Reply to an echo request (type 8). |
|
3 |
Unreachable |
Possible reply to any request. |
|
8 |
Echo Request |
Ping or a traceroute request. |
|
11 |
Time Exceeded |
Reply if the time-to-live (TTL) size of a packet is zero. |
|
13 |
Timestamp Request |
Request. |
|
14 |
Timestamp Reply |
Reply to a timestamp request (type 13). |
ICMPv4 packet types 0 and 8 are used to ping a destination; the source sends out an Echo Request packet and the destination responds with an Echo Reply packet. Packet types 0, 8, and 11 are used for ICMPv4 traceroute (that is, Echo Request packets that are sent start with a TTL size of 1) and the TTL size is incremented for each hop. Intermediate hops respond to the Echo Request packet with a Time Exceeded packet and the final destination responds with an Echo Reply packet.
If an ICMPv4 error packet is an embedded packet, the embedded packet is processed according to the protocol and the policy configured for the packet. For example, if the embedded packet is a TCP packet, and a drop action is configured for the packet, the packet is dropped even if ICMPv4 has configured a pass action.
An ICMPv4 packet arrives at the source interface. The firewall uses the source and destination addresses of the packet without any change for packet inspection. The firewall uses IP addresses (source and destination), the ICMP type, and the protocol for session key creation and lookup.
The packet passes the firewall inspection.
Return traffic comes from the destination interface and, based on the ICMPv4 message type, the firewall creates the session lookup key.
If the firewall session lookup is successful, the packet passes the firewall inspection.
ICMP return packets are checked by the inspect code, and not by access control lists (ACLs). The inspect code tracks destination address from each outgoing packet and checks each return packet. For Echo Reply and Timestamp Reply packets, the return address is checked. For Unreachable and Time Exceeded packets, the intended destination address is extracted from the packet data and checked.
A class map that matches the ICMP traffic.
A policy map with the inspect action.
Security zones and zone pairs (to attach a firewall policy map to the zone pair).
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
access-list access-list-number {deny | permit } icmp source source-wildcard destination destination-wildcard Example: |
Defines an extended IP access list. |
| Step 4 |
class-map type inspect class-map-name Example: |
Defines the class on which an action is to be performed and enters QoS class-map configuration mode. |
| Step 5 |
match protocol protocol-name Example: |
Configures a match criterion for a class map on the basis of the specified protocol. |
| Step 6 |
exit Example: |
Exits QoS class-map configuration mode and enters global configuration mode. |
| Step 7 |
policy-map type inspect policy-map-name Example: |
Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode. |
| Step 8 |
class class-map-name Example: |
Defines the class on which an action is to be performed and enters QoS policy-map class configuration mode. |
| Step 9 |
inspect Example: |
Enables stateful packet inspection. |
| Step 10 |
exit Example: |
Exits QoS policy-map class configuration mode and enters QoS policy-map configuration mode. |
| Step 11 |
exit Example: |
Exits QoS policy-map configuration mode and enters global configuration mode. |
| Step 12 |
zone security zone-name Example: |
|
| Step 13 |
exit Example: |
Exits security zone configuration mode and enters global configuration mode. |
| Step 14 |
zone-pair security zone-pair-name source source-zone destination destination-zone Example: |
Creates a zone pair to which interfaces can be assigned and enters security zone-pair configuration mode. |
| Step 15 |
service-policy type inspect policy-map-name Example: |
Attaches a firewall policy map to a zone pair. |
| Step 16 |
end Example: |
Exits security zone-pair configuration mode and enters privileged EXEC mode. |
You can use the following show commands in any order.
| Step 1 |
enable Example:
|
| Step 2 |
show ip access-lists Example:Displays information about the specified policy map. |
| Step 3 |
show policy-map type inspect policy-map-name Example:Displays information about the specified policy map. |
| Step 4 |
show policy-map type inspect zone-pair zone-pair-name Example:Displays the runtime inspect type policy-map statistics for the zone pair. |
| Step 5 |
show zone security zone-name Example:Displays zone security information. |
| Step 6 |
show zone-pair security [source source-zone destination destination-zone] Example:Displays source and destination zones and the policy attached to the zone pair. |
The following sample output from the show ip access-lists command shows how ACLs are created for an ICMP session for which only ping packets were issued from the host:
Device# show ip access-lists
Extended IP access list 102
permit icmp any host 192.168.133.3 time-exceeded
permit icmp any host 192.168.133.3 unreachable
permit icmp any host 192.168.133.3 timestamp-reply
permit icmp any host 192.168.133.3 echo-reply (4 matches)
The following is sample output from the show policy-map type inspect p1 command:
Device# show policy-map type inspect p1
Policy Map type inspect p1
Class c1
Inspect
The following is sample output from the show policy-map type inspect zone-pair inout command:
Device# show policy-map type inspect zone-pair inout
Zone-pair: inout
Service-policy : p1
Class-map: c1 (match-all)
Match: protocol icmp
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytesThe following is sample output from the show zone security command:
Device# show zone security
zone self
Description: System defined zoneThe following is sample output from the show zone-pair security command:
Device# show zone-pair security source z1 destination z2
zone-pair name inout
Source-Zone z1 Destination-Zone z2
service-policy p1
Device# configure terminal
Device(config)# access-list 102 permit icmp 192.168.0.1 255.255.255.0 192.168.2.22 255.255.255.0
Device(config)# class-map type inspect c1
Device(config-cmap)# match protocol icmp
Device(config-cmap)# exit
Device(config)# policy-map type inspect p1
Device(config-pmap)# class c1
Device(config-pmap-c)# inspect
Device(config-pmap-c)# exit
Device(config-pmap)# exit
Device(config)# zone security z1
Device(config-sec-zone)# exit
Device(config)# zone security z2
Device(config-sec-zone)# exit
Device(config)# zone-pair security inout source z1 destination z2
Device(config-sec-zone-pair)# service-policy type inspect p1
Device(config-sec-zone-pair)# end
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
|
Standard/RFCs |
Title |
|---|---|
|
RFC 792 |
Internet Control Message Protocol |
|
RFC 950 |
Internet Standard Subnetting Procedure |
|
RFC 1700 |
Assigned Numbers |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Firewall Stateful Inspection of ICMP |
Cisco IOS XE Release 2.1 Cisco IOS XE Release 3.2S |
The Firewall Stateful Inspection of ICMP feature categorizes ICMPv4 messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMP messages that are generated within a private network and permits the entry of associated ICMP replies. |
Feedback