[c-nsp] enabling ICMP inspection on ASA
Philippe Strauss
philou at philou.ch
Fri May 18 11:02:47 EDT 2007
Hello c-nsp,
I find the ASA (v 7.2) doco rather thin about enabling ICMP inspection.
Relative to the default inspection settings which are:
--
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
--
I guess the following should work, but I'm unsure:
--
class-map DFI_INSPECTION_DEFAULT
match any <--- !!!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map DFI_GLOBAL_POLICY
class DFI_INSPECTION_DEFAULT
inspect icmp <--- !!!
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy DFI_GLOBAL_POLICY global
--
Anyone more experienced can confirm or modify my config?
Thanks!
--
Philippe Strauss
av. de Beaulieu 25
1004 Lausanne
http://philou.ch
More information about the cisco-nsp
mailing list