Firewall Stateful Inspection of ICMP

The Firewall Stateful Inspection of ICMP feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated within a private network and permits the entry of associated ICMP replies into the network. The Firewall Stateful Inspection of ICMP feature helps network administrators to debug network issues by using ICMP so that intruders cannot enter the network.

This module provides an overview of the firewall stateful inspection of ICMPv4 messages and describes how to configure the firewall to inspect ICMPv4 messages.

Prerequisites for Firewall Stateful Inspection of ICMP

  • You must configure the Cisco firewall before you can configure the Firewall Stateful Inspection of ICMP feature.

  • The network must allow all ICMP traffic to pass through security appliance interfaces.

  • Access rules must be configured for ICMP traffic that terminates at a security appliance interface.

Restrictions for Firewall Stateful Inspection of ICMP

This feature does not work with the UDP traceroute utility, in which UDP datagrams are sent instead of ICMP packets. UDP traceroute is the default for UNIX systems. For a UNIX host to generate ICMP traceroute packets that are inspected by the firewall, use the “-I” option with the traceroute command.

Information About Firewall Stateful Inspection of ICMP

Overview of the Firewall Stateful Inspection of ICMP

Internet Control Management Protocol (ICMP) is a network protocol that provides information about a network and reports errors in the network. Network administrators use ICMP to debug network connectivity issues. To guard against potential intruders using ICMP to discover the topology of a private network, ICMPv4 messages can be blocked from entering a private network; however, network administrators may then be unable to debug the network.

You can configure Cisco routers to use access control lists (ACLs) to either completely allow or deny ICMPv4 messages. When using ACLs for ICMPv4 messages, message inspection has precedence over the configured allow or deny actions.

ICMPv4 messages that use the IP protocol can be categorized into the following two types:

  • Informational messages that utilize a simple request/reply mechanism.

  • Error messages that indicate that some sort of error has occurred while delivering an IP packet.

    Note
    To prevent ICMP attacks from using the Destination Unreachable error message, only one Destination Unreachable message is allowed per session by the firewall.

    A host that is processing a UDP session that is traversing the firewall may generate an ICMP error packet with a Destination Unreachable message. In such cases, only one Destination Unreachable message is allowed through the firewall for that session.

The following ICMPv4 packet types are supported:

Table 1 ICMPv4 Packet Types

Packet Type

Name

Description

0

Echo Reply

Reply to an echo request (type 8).

3

Unreachable

Possible reply to any request.

8

Echo Request

Ping or a traceroute request.

11

Time Exceeded

Reply if the time-to-live (TTL) size of a packet is zero.

13

Timestamp Request

Request.

14

Timestamp Reply

Reply to a timestamp request (type 13).

ICMPv4 packet types 0 and 8 are used to ping a destination; the source sends out an Echo Request packet and the destination responds with an Echo Reply packet. Packet types 0, 8, and 11 are used for ICMPv4 traceroute (that is, Echo Request packets that are sent start with a TTL size of 1) and the TTL size is incremented for each hop. Intermediate hops respond to the Echo Request packet with a Time Exceeded packet and the final destination responds with an Echo Reply packet.

If an ICMPv4 error packet is an embedded packet, the embedded packet is processed according to the protocol and the policy configured for the packet. For example, if the embedded packet is a TCP packet, and a drop action is configured for the packet, the packet is dropped even if ICMPv4 has configured a pass action.

The following scenario describes how ICMPv4 packets pass through the firewall:

  1. An ICMPv4 packet arrives at the source interface. The firewall uses the source and destination addresses of the packet without any change for packet inspection. The firewall uses IP addresses (source and destination), the ICMP type, and the protocol for session key creation and lookup.

  2. The packet passes the firewall inspection.

  3. Return traffic comes from the destination interface and, based on the ICMPv4 message type, the firewall creates the session lookup key.

    1. If the reply message is an informational message, the firewall uses the source and destination addresses from the packet without any change for packet inspection. Here, the destination port is the ICMPv4 message request type.
    2. If the reply message is an ICMPv4 error message, the firewall uses the payload packet present in the ICMP error packet to create the session key for session lookup.

  5. If the firewall session lookup is successful, the packet passes the firewall inspection.

ICMP Inspection Checking

ICMP return packets are checked by the inspect code, and not by access control lists (ACLs). The inspect code tracks destination address from each outgoing packet and checks each return packet. For Echo Reply and Timestamp Reply packets, the return address is checked. For Unreachable and Time Exceeded packets, the intended destination address is extracted from the packet data and checked.

How to Configure Firewall Stateful Inspection of ICMP

Configuring Firewall Stateful Inspection of ICMP

Perform this task to configure the firewall stateful inspection of ICMP, which includes the following:

  • A class map that matches the ICMP traffic.

  • A policy map with the inspect action.

  • Security zones and zone pairs (to attach a firewall policy map to the zone pair).

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard

    4.    class-map type inspect class-map-name

    5.    match protocol protocol-name

    6.    exit

    7.    policy-map type inspect policy-map-name

    8.    class class-map-name

    9.    inspect

    10.    exit

    11.    exit

    12.    zone security zone-name

    13.    exit

    14.    zone-pair security zone-pair-name source source-zone destination destination-zone

    15.    service-policy type inspect policy-map-name

    16.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard


    Example:
    Device(config)# access-list 102 permit icmp 192.168.0.1 255.255.255.0 192.168.2.22 255.255.255.0
     

    Defines an extended IP access list.

     
    Step 4 class-map type inspect class-map-name


    Example:
    Device(config)# class-map type inspect c1
     

    Defines the class on which an action is to be performed and enters QoS class-map configuration mode.

     
    Step 5 match protocol protocol-name


    Example:
    Device(config-cmap)# match protocol icmp
     

    Configures a match criterion for a class map on the basis of the specified protocol.

     
    Step 6 exit


    Example:
    Device(config-cmap)# exit
     

    Exits QoS class-map configuration mode and enters global configuration mode.

     
    Step 7 policy-map type inspect policy-map-name


    Example:
    Device(config)# policy-map type inspect p1
     

    Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode.

     
    Step 8 class class-map-name


    Example:
    Device(config-pmap)# class c1
     

    Defines the class on which an action is to be performed and enters QoS policy-map class configuration mode.

     
    Step 9 inspect


    Example:
    Device(config-pmap-c)# inspect
     

    Enables stateful packet inspection.

     
    Step 10 exit


    Example:
    Device(config-pmap-c)# exit
     

    Exits QoS policy-map class configuration mode and enters QoS policy-map configuration mode.

     
    Step 11 exit


    Example:
    Device(config-pmap)# exit
     

    Exits QoS policy-map configuration mode and enters global configuration mode.

     
    Step 12 zone security zone-name


    Example:
    Device(config)# zone security z1
     
    Creates a security zone and enters security zone configuration mode.

    • Your configuration must have two security zones to create a zone pair: a source zone and a destination zone.

    • In a zone pair, you can use the default zone as either the source or the destination zone.

     
    Step 13 exit


    Example:
    Device(config-sec-zone)# exit
     

    Exits security zone configuration mode and enters global configuration mode.

     
    Step 14 zone-pair security zone-pair-name source source-zone destination destination-zone


    Example:
    Device(config)# zone-pair security inout source z1 destination z2
     

    Creates a zone pair to which interfaces can be assigned and enters security zone-pair configuration mode.

     
    Step 15 service-policy type inspect policy-map-name


    Example:
    Device(config-sec-zone-pair)# service-policy type inspect p1
     

    Attaches a firewall policy map to a zone pair.

     
    Step 16 end


    Example:
    Device(config-sec-zone-pair)# end
     

    Exits security zone-pair configuration mode and enters privileged EXEC mode.

     

    Verifying Firewall Stateful Inspection of ICMP

    You can use the following show commands in any order.

    SUMMARY STEPS

      1.    enable

      2.    show ip access-lists

      3.    show policy-map type inspect policy-map-name

      4.    show policy-map type inspect zone-pair zone-pair-name

      5.    show zone security zone-name

      6.    show zone-pair security [source source-zone destination destination-zone]


    DETAILED STEPS
      Step 1   enable


      Example:
      Device> enable
      Enables privileged EXEC mode.

      • Enter your password if prompted.

      Step 2   show ip access-lists


      Example:
      Device# show ip access-lists

      Displays information about the specified policy map.

      Step 3   show policy-map type inspect policy-map-name


      Example:
      Device# show policy-map type inspect p1

      Displays information about the specified policy map.

      Step 4   show policy-map type inspect zone-pair zone-pair-name


      Example:
      Device# show policy-map type inspect zone-pair inout

      Displays the runtime inspect type policy-map statistics for the zone pair.

      Step 5   show zone security zone-name


      Example:
      Device# show zone security z1

      Displays zone security information.

      Step 6   show zone-pair security [source source-zone destination destination-zone]


      Example:
      Device# show zone-pair security source z1 destination z2

      Displays source and destination zones and the policy attached to the zone pair.

      Example:

      The following sample output from the show ip access-lists command shows how ACLs are created for an ICMP session for which only ping packets were issued from the host: 

      Device# show ip access-lists
 
 Extended IP access list 102
     permit icmp any host 192.168.133.3 time-exceeded
     permit icmp any host 192.168.133.3 unreachable
     permit icmp any host 192.168.133.3 timestamp-reply
     permit icmp any host 192.168.133.3 echo-reply (4 matches)

      The following is sample output from the show policy-map type inspect p1 command: 

      Device# show policy-map type inspect p1
 
 Policy Map type inspect p1
  Class c1
   Inspect

      The following is sample output from the show policy-map type inspect zone-pair inout command: 

      Device# show policy-map type inspect zone-pair inout
 
 Zone-pair: inout
  Service-policy : p1
   Class-map: c1 (match-all)
    Match: protocol icmp
    Inspect
     Session creations since subsystem startup or last reset 0
     Current session counts (estab/half-open/terminating) [0:0:0]
     Maxever session counts (estab/half-open/terminating) [0:0:0]
     Last session created never
     Last statistic reset never
     Last session creation rate 0
     half-open session total 0   
   Class-map: class-default (match-any)
    Match: any
    Drop
     0 packets, 0 bytes

      The following is sample output from the show zone security command: 

      Device# show zone security

zone self
Description: System defined zone

      The following is sample output from the show zone-pair security command: 

      Device# show zone-pair security source z1 destination z2

zone-pair name inout
  Source-Zone z1  Destination-Zone z2 
  service-policy p1

      Configuration Examples for Firewall Stateful Inspection of ICMP

      Example: Configuring Firewall Stateful Inspection of ICMP

      Device# configure terminal
Device(config)# access-list 102 permit icmp 192.168.0.1 255.255.255.0 192.168.2.22 255.255.255.0
Device(config)# class-map type inspect c1
Device(config-cmap)# match protocol icmp 
Device(config-cmap)# exit
Device(config)# policy-map type inspect p1
Device(config-pmap)# class c1
Device(config-pmap-c)# inspect
Device(config-pmap-c)# exit
Device(config-pmap)# exit
Device(config)# zone security z1
Device(config-sec-zone)# exit
Device(config)# zone security z2
Device(config-sec-zone)# exit
Device(config)# zone-pair security inout source z1 destination z2
Device(config-sec-zone-pair)# service-policy type inspect p1
Device(config-sec-zone-pair)# end

      Additional References for Firewall Stateful Inspection of ICMP

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Master Command List, All Releases

      Security commands

      Standards & RFCs

      Standard/RFCs

      Title

      RFC 792

      Internet Control Message Protocol

      RFC 950

      Internet Standard Subnetting Procedure

      RFC 1700

      Assigned Numbers

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Firewall Stateful Inspection of ICMP

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 2 Feature Information for Firewall Stateful Inspection of ICMP

      Feature Name

      Releases

      Feature Information

      Firewall Stateful Inspection of ICMP

      Cisco IOS XE Release 2.1

      Cisco IOS XE Release 3.2S

      The Firewall Stateful Inspection of ICMP feature categorizes ICMPv4 messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMP messages that are generated within a private network and permits the entry of associated ICMP replies.