- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Prerequisites for Firewall Stateful Inspection of ICMP
- Restrictions for Firewall Stateful Inspection of ICMP
- Information About Firewall Stateful Inspection of ICMP
- How to Configure Firewall Stateful Inspection of ICMP
- Configuration Examples for Firewall Stateful Inspection of ICMP
- Additional References for Firewall Stateful Inspection of ICMP
- Feature Information for Firewall Stateful Inspection of ICMP
Firewall Stateful Inspection of ICMP
The Firewall Stateful Inspection of ICMP feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated within a private network and permits the entry of associated ICMP replies into the network. The Firewall Stateful Inspection of ICMP feature helps network administrators to debug network issues by using ICMP so that intruders cannot enter the network.
This module provides an overview of the firewall stateful inspection of ICMPv4 messages and describes how to configure the firewall to inspect ICMPv4 messages.
- Prerequisites for Firewall Stateful Inspection of ICMP
- Restrictions for Firewall Stateful Inspection of ICMP
- Information About Firewall Stateful Inspection of ICMP
- How to Configure Firewall Stateful Inspection of ICMP
- Configuration Examples for Firewall Stateful Inspection of ICMP
- Additional References for Firewall Stateful Inspection of ICMP
- Feature Information for Firewall Stateful Inspection of ICMP
Prerequisites for Firewall Stateful Inspection of ICMP
Restrictions for Firewall Stateful Inspection of ICMP
This feature does not work with the UDP traceroute utility, in which UDP datagrams are sent instead of ICMP packets. UDP traceroute is the default for UNIX systems. For a UNIX host to generate ICMP traceroute packets that are inspected by the firewall, use the “-I” option with the traceroute command.
Information About Firewall Stateful Inspection of ICMP
Overview of the Firewall Stateful Inspection of ICMP
Internet Control Management Protocol (ICMP) is a network protocol that provides information about a network and reports errors in the network. Network administrators use ICMP to debug network connectivity issues. To guard against potential intruders using ICMP to discover the topology of a private network, ICMPv4 messages can be blocked from entering a private network; however, network administrators may then be unable to debug the network.
You can configure Cisco routers to use access control lists (ACLs) to either completely allow or deny ICMPv4 messages. When using ACLs for ICMPv4 messages, message inspection has precedence over the configured allow or deny actions.
Informational messages that utilize a simple request/reply mechanism.
-
Error messages that indicate that some sort of error has occurred while delivering an IP packet.
Note
To prevent ICMP attacks from using the Destination Unreachable error message, only one Destination Unreachable message is allowed per session by the firewall.A host that is processing a UDP session that is traversing the firewall may generate an ICMP error packet with a Destination Unreachable message. In such cases, only one Destination Unreachable message is allowed through the firewall for that session.
The following ICMPv4 packet types are supported:
Packet Type |
Name |
Description |
---|---|---|
0 |
Echo Reply |
Reply to an echo request (type 8). |
3 |
Unreachable |
Possible reply to any request. |
8 |
Echo Request |
Ping or a traceroute request. |
11 |
Time Exceeded |
Reply if the time-to-live (TTL) size of a packet is zero. |
13 |
Timestamp Request |
Request. |
14 |
Timestamp Reply |
Reply to a timestamp request (type 13). |
ICMPv4 packet types 0 and 8 are used to ping a destination; the source sends out an Echo Request packet and the destination responds with an Echo Reply packet. Packet types 0, 8, and 11 are used for ICMPv4 traceroute (that is, Echo Request packets that are sent start with a TTL size of 1) and the TTL size is incremented for each hop. Intermediate hops respond to the Echo Request packet with a Time Exceeded packet and the final destination responds with an Echo Reply packet.
If an ICMPv4 error packet is an embedded packet, the embedded packet is processed according to the protocol and the policy configured for the packet. For example, if the embedded packet is a TCP packet, and a drop action is configured for the packet, the packet is dropped even if ICMPv4 has configured a pass action.
An ICMPv4 packet arrives at the source interface. The firewall uses the source and destination addresses of the packet without any change for packet inspection. The firewall uses IP addresses (source and destination), the ICMP type, and the protocol for session key creation and lookup.
The packet passes the firewall inspection.
Return traffic comes from the destination interface and, based on the ICMPv4 message type, the firewall creates the session lookup key.
- If the reply message is an informational message, the firewall uses the source and destination addresses from the packet without any change for packet inspection. Here, the destination port is the ICMPv4 message request type.
- If the reply message is an ICMPv4 error message, the firewall uses the payload packet present in the ICMP error packet to create the session key for session lookup.
If the firewall session lookup is successful, the packet passes the firewall inspection.
ICMP Inspection Checking
ICMP return packets are checked by the inspect code, and not by access control lists (ACLs). The inspect code tracks destination address from each outgoing packet and checks each return packet. For Echo Reply and Timestamp Reply packets, the return address is checked. For Unreachable and Time Exceeded packets, the intended destination address is extracted from the packet data and checked.
How to Configure Firewall Stateful Inspection of ICMP
Configuring Firewall Stateful Inspection of ICMP
1.
enable
2.
configure terminal
3.
access-list
access-list-number
{deny | permit}
icmp
source source-wildcard
destination destination-wildcard
4.
class-map type inspect
class-map-name
5.
match protocol
protocol-name
6.
exit
7.
policy-map type inspect
policy-map-name
8.
class
class-map-name
9.
inspect
10.
exit
11.
exit
12.
zone security
zone-name
13.
exit
14.
zone-pair security
zone-pair-name
source
source-zone
destination
destination-zone
15.
service-policy type inspect
policy-map-name
16.
end
DETAILED STEPS
Verifying Firewall Stateful Inspection of ICMP
You can use the following show commands in any order.
1.
enable
2.
show ip access-lists
3.
show policy-map type inspect
policy-map-name
4.
show policy-map type inspect zone-pair
zone-pair-name
5.
show zone security
zone-name
6.
show zone-pair security
[source
source-zone
destination
destination-zone]
DETAILED STEPS
Example:
The following sample output from the show ip access-lists command shows how ACLs are created for an ICMP session for which only ping packets were issued from the host:
Device# show ip access-lists Extended IP access list 102 permit icmp any host 192.168.133.3 time-exceeded permit icmp any host 192.168.133.3 unreachable permit icmp any host 192.168.133.3 timestamp-reply permit icmp any host 192.168.133.3 echo-reply (4 matches)
The following is sample output from the show policy-map type inspect p1 command:
Device# show policy-map type inspect p1 Policy Map type inspect p1 Class c1 Inspect
The following is sample output from the show policy-map type inspect zone-pair inout command:
Device# show policy-map type inspect zone-pair inout Zone-pair: inout Service-policy : p1 Class-map: c1 (match-all) Match: protocol icmp Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 half-open session total 0 Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes
The following is sample output from the show zone security command:
Device# show zone security zone self Description: System defined zone
The following is sample output from the show zone-pair security command:
Device# show zone-pair security source z1 destination z2 zone-pair name inout Source-Zone z1 Destination-Zone z2 service-policy p1
Configuration Examples for Firewall Stateful Inspection of ICMP
Example: Configuring Firewall Stateful Inspection of ICMP
Device# configure terminal Device(config)# access-list 102 permit icmp 192.168.0.1 255.255.255.0 192.168.2.22 255.255.255.0 Device(config)# class-map type inspect c1 Device(config-cmap)# match protocol icmp Device(config-cmap)# exit Device(config)# policy-map type inspect p1 Device(config-pmap)# class c1 Device(config-pmap-c)# inspect Device(config-pmap-c)# exit Device(config-pmap)# exit Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone security z2 Device(config-sec-zone)# exit Device(config)# zone-pair security inout source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect p1 Device(config-sec-zone-pair)# end
Additional References for Firewall Stateful Inspection of ICMP
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Standards & RFCs
Standard/RFCs |
Title |
---|---|
RFC 792 |
Internet Control Message Protocol |
RFC 950 |
Internet Standard Subnetting Procedure |
RFC 1700 |
Assigned Numbers |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Firewall Stateful Inspection of ICMP
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Firewall Stateful Inspection of ICMP |
Cisco IOS XE Release 2.1 Cisco IOS XE Release 3.2S |
The Firewall Stateful Inspection of ICMP feature categorizes ICMPv4 messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMP messages that are generated within a private network and permits the entry of associated ICMP replies. |