3-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Access Rules
Configure Access Control
If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the
ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types,
you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.
We recommend that you always grant permission for the ICMP unreachable message type (type 3).
Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and
PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process. See
RFC 1195 and RFC 1435 for details about path MTU discovery.
Procedure
Step 1
Create rules for ICMP traffic.
icmp
{
permit
|
deny
} {
host
ip_address
|
ip_address mask
|
any
}
[
icmp_type
]
interface_name
If you do not specify an
icmp_type
, the rule applies to all types. You can enter the number or the name.
To control ping, specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA).
For the address, you can apply the rule to
any
address, to a single
host
, or to a network (
ip_address
mask
).
Step 2
Create rules for ICMPv6 (IPv6) traffic.
ipv6 icmp
{
permit
|
deny
} {
host
ipv6_address
|
ipv6-network
/
prefix-length
|
any
}
[
icmp_type
]
interface_name
If you do not specify an
icmp_type
, the rule applies to all types.
For the address, you can apply the rule to
any
address, to a single
host
, or to a network
(
ipv6-network
/
prefix-length
).
Step 3
(Optional.) Set rate limits on ICMP Unreachable messages so that the ASA will appear on trace route
output.
icmp unreachable rate-limit
rate
burst-size
size
Example
hostname(config)# icmp unreachable rate-limit 50 burst-size 1
The rate limit can be 1-100, with 1 being the default. The burst size is meaningless, but must be 1-10.
Increasing the rate limit, along with enabling the
set connection decrement-ttl
command in a service
policy, is required to allow a traceroute through the ASA that shows the ASA as one of the hops. For
example, the following policy decrements the time-to-live (TTL) value for all traffic through the ASA.
class-map global-class
match any
policy-map global_policy
class global-class
set connection decrement-ttl
Examples
The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside
interface:
hostname(config)#
icmp deny host 10.1.1.15 inside
hostname(config)#
icmp permit any inside
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...