-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Firewall Stateful Inspection of ICMP
Restrictions for Firewall Stateful Inspection of ICMP
Information About Firewall Stateful Inspection of ICMP
Feature Design of Firewall Stateful Inspection of ICMP
How to Use Firewall Stateful Inspection of ICMP
Configuring Firewall Stateful Inspection for ICMP
Verifying Firewall and ICMP Session Information
Monitoring Firewall and ICMP Session Information
Configuration Examples for Stateful Inspection of ICMP
Firewall Stateful Inspection for ICMP Configuration Example
Checking for ICMP Inspection Example
ICMP Session Verification Example
Firewall Stateful Inspection of ICMP
The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages into either a malicious or benign category by allowing the Cisco IOS firewall to use stateful inspection to "trust" ICMP messages that are generated within a private network and to permit the associated ICMP replies. Thus, network administrators can debug network issues by using ICMP without concern that possible intruders may enter the network.
Feature Specifications for the Firewall Stateful Inspection of ICMP feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for Firewall Stateful Inspection of ICMP
•
•
•
Restrictions for Firewall Stateful Inspection of ICMP
•
•
Information About Firewall Stateful Inspection of ICMP
The following sections provide information about Cisco IOS Firewall Stateful Inspection of ICMP:
•
Feature Design of Firewall Stateful Inspection of ICMP
ICMP is used to report errors and information about a network. It is a useful tool for network administrators who are trying to debug network connectivity issues. Unfortunately, intruders can also use ICMP to discover the topology of a private network. To guard against a potential intruder, ICMP messages can be blocked from entering a private network; however, a network administrator may then be unable to debug the network. Although a Cisco IOS router can be configured using access lists to selectively allow certain ICMP messages through the router, the network administrator must still guess which messages are potentially malicious and which messages are benign. With the introduction of this feature, a user can now configure a Cisco IOS firewall for stateful inspection to "trust" that the ICMP messages are generated within the private network and to permit the associated ICMP replies.
Note
Stateful inspection of ICMP packets is limited to the most common types of ICMP messages that are useful to network administrators who are trying to debug their networks. That is, ICMP messages that do not provide a valuable tool for the internal network administrator will not be allowed. For the Cisco IOS firewall-supported ICMP message request types, see Table 29.
Note
Packet types 0, 8, and 11 are used for ICMP traceroute: Echo Request packets are sent out starting with a TTL packet of 1, and the TTL is incremented for each hop. The intermediate hops respond to the Echo Request packet with a Time Exceeded packet; the final destination responds with an Echo Reply packet.
ICMP Inspection Checking
Return packets are checked by the inspect code, not by ACLs. The inspect code tracks each destination address from outgoing packets and checks each return packet. For ECHO REPLY and TIMESTAMP REPLY packets, the return address is checked. For UNREACHABLE and TIME EXCEEDED packets, the intended destination address is extracted from the packet data and checked.
For more information, see Checking for ICMP Inspection Example.
How to Use Firewall Stateful Inspection of ICMP
This section contains the following procedures:
•
•
•
Configuring Firewall Stateful Inspection for ICMP
To enable the Cisco IOS Firewall to start inspection ICMP messages, perform the following steps:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Firewall and ICMP Session Information
To display active ICMP session and IP access list information, perform the following optional steps:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
show ip inspect session [detail]
Example:Router# show ip inspect session
(Optional) Displays existing sessions that are currently being tracked and inspected by the Cisco IOS firewall.
•
Step 3
show ip access-list
Example:Router# show ip access-list(Optional) Displays the contents of all current IP access lists.
For a sample output example, see the section "ICMP Session Verification Example."
Monitoring Firewall and ICMP Session Information
To monitor debugging messages related to ICMP inspection, perform the following optional steps:
Note
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Stateful Inspection of ICMP
This section provides the following configuration examples:
•
•
•
Firewall Stateful Inspection for ICMP Configuration Example
The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced 1 second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.
The following example shows how to configure a firewall for stateful inspection of ICMP packets:
no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname UUT!ip subnet-zerono ip domain lookup!ip inspect audit-trailip inspect name test icmp alert on audit-trail on timeout 30!interface Ethernet0ip address 192.168.10.2 255.255.255.0ip inspect test in!interface Ethernet1ip address 192.168.20.2 255.255.255.0ip access-group 101 in!ip classlessip route 0.0.0.0 0.0.0.0 192.168.20.3no ip http server!access-list 101 deny ip any any!line con 0exec-timeout 0 0!endChecking for ICMP Inspection Example
In the following example, three destinations were pinged. The example shows that the inspect code tracked each destination address in the inspect session information.
fw_1751#sh ip insp sess detailEstablished SessionsSession 813A1808 (192.168.156.5:0)=>(0.0.0.0:0) icmp SIS_OPENCreated 00:04:20, Last heard 00:00:00Destinations: 3Dest addr [192.168.131.3]Dest addr [192.168.131.7]Dest addr [192.168.131.31]Bytes sent (initiator:responder) [8456:5880] acl created 4Inbound access-list 102 applied to interface Ethernet0/0Inbound access-list 102 applied to interface Ethernet0/0Inbound access-list 102 applied to interface Ethernet0/0Inbound access-list 102 applied to interface Ethernet0/0ICMP Session Verification Example
The following example is sample output from the show ip access-list command. In this example, Access Control Lists (ACLs) are created for an ICMP session on which only ping packets were issued from the host.
Router# show ip access-list 101Extended IP access list 101permit icmp any host 192.168.133.3 time-exceededpermit icmp any host 192.168.133.3 unreachablepermit icmp any host 192.168.133.3 timestamp-replypermit icmp any host 192.168.133.3 echo-reply (4 matches)Additional References
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
RFC 792
Internet Control Message Protocol
RFC 950
Internet Standard Subnetting Procedure
RFC 1700
Assigned Numbers
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
Glossary
ACL—access control list. An ACL is a list kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
CBAC—Context-Based Access Control. CBAC is the name given to the Cisco IOS Firewall subsystem.
firewall—A firewall is a networking device that controls access to the network assets of your organization. Firewalls are positioned at the entrance points into your network. If your network has multiple entrance points, you must position a firewall at each point to provide effective network access control.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.
ICMP—Internet Control Message Protocol. An ICMP is a network layer Internet protocol that reports errors and provides other information relevant to IP packet processing.
RPC—remote-procedure call. A RPC is the technological foundation of client or server computing. RPCs are procedure calls that are built or specified by clients and are executed on servers, with the results returned over the network to the clients.
RTSP—Real Time Streaming Protocol. RTSP enables the controlled delivery of real-time data, such as audio and video. Sources of data can include both live data feeds, such as live audio and video, and stored content, such as prerecorded events. RTSP is designed to work with established protocols, such as RTP and HTTP.
SIP—Session Initiation Protocol. SIP is a protocol developed by the IETF MUSIC Working Group as an alternative to H.323. SIP features are compliant with IETF RFC 2543, published in March 1999. SIP equips platforms to signal the setup of voice and multimedia calls over IP networks.
SMTP—simple mail transfer protocol. SMTP is an Internet protocol providing e-mail services.
UDP—User Datagram Protocol. A UDP is a connectionless transport layer protocol in the TCP/IP protocol stack. UDP is a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery, requiring that error processing and retransmission be handled by other protocols. UDP is defined in RFC 768.
Note
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
