ICMP Traffic to the Firewall

ICMP Traffic to the Firewall

ICMP traffic through the firewall isn’t allowed by default and must be specifically allowed by creating access-list/access-group commands or conduit commands on older IOS versions (4.x). These commands are covered in detail in the next chapter. Access lists, including those required to allow ICMP traffic, are also covered in the next chapter.

On the other hand, ICMP traffic originating on or terminating at the firewall is allowed by default. The configuration mode command icmp controls ICMP traffic that terminates anywhere on the PIX Firewall. If no ICMP access control list is configured, then the PIX Firewall accepts all ICMP traffic that terminates at the interface. The key word here is “terminates”—the firewall is the destination.

Using the icmp {permit | deny} command to allow or block pings to an interface is referred to as configurable proxy pinging. Use the no form of the command to remove a specific ICMP statement, or use the clear icmp command to remove the entire ICMP control list. The syntax is

pix(config)#icmp {permit | deny} [host] src_addr [src_mask] [type] int_name
pix(config)#no icmp {permit | deny} [host] src_addr [src_mask] [type] int_name
pix(config)#clear icmp

The following table lists possible ICMP type values and their literal equivalents. While either form can be used with the command, the literal is much easier to interpret for anyone who has to support the PIX device in the future. The ? will list the acceptable options while building the command.

It’s important to understand that creating an ICMP control list effectively switches the firewall from accepting all ICMP traffic to all interfaces to accepting only that traffic specifically allowed by the ICMP statements. There is, in fact, an implicit deny any statement similar to other ACLs. If the new packet is matched first by a permit statement, the ICMP packet continues to be processed normally. But, if the first matched entry is a deny statement or no matching statement exists, then the PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 Syslog message. The Syslog message syntax is

%PIX-3-313001: Denied ICMP type=type, code=code from src_addr on 
interface int_nam

To avoid unintentionally stopping IPSec and PPTP traffic when the ICMP control list is used, create a statement that permits ICMP unreachable (type 3) message traffic to the appropriate interface. Denying the ICMP unreachable messages disables ICMP Path MTU discovery, which is required by IPSec and PPTP. The next examples show the statement.

The following example denies all ping requests directed at the outside interface and permits all unreachable messages at the outside interface. Notice that the ACL keyword any can be used as the source address.

pix(config)#icmp deny any echo-reply outside
pix(config)#icmp permit any unreachable outside

This next example will permit host 192.168.1.49 or hosts on the network 192.168.2.0/24 to ping the outside interface. The last line again permits all unreachable messages at the outside interface.

pix(config)#icmp permit host 192.168.1.49 echo-reply outside 
pix(config)#icmp permit 192.168.2.0 255.255.255.0 echo-reply outside
pix(config)#icmp permit any unreachable outside

pix#debug icmp trace 
1: Outbound ICMP echo request (len 32 id 7 seq 1004) 192.168.1.2 > 
172.16.1.78 > 172.16.4.50
2: Inbound ICMP echo reply (Len 32 id 26 seq 1004) 172.16.4.50 >
172.16.1.78 > 192.168.1.2
3: Outbound ICMP echo request (Len 32 id 7 seq 1051) 192.168.1.2 > 
172.16.1.78 > 172.16.4.50
4: Inbound ICMP echo reply (Len 32 id 26 seq 1051) 172.16.4.50 >
172.16.1.78 > 192.168.1.2
---- output omitted ----