ICMP Traffic Is Not Inspected

ICMP Traffic Is Not Inspected

Before version 12.2(11) YU & 12.2(15) T, there was no Internet Control Message Protocol (ICMP) inspection engine in CBAC for ICMP traffic. However, some ICMP packets are either necessary or really helpful on almost every real network. For example, for path MTU discovery, you need to allow ICMP packet-too-big, and for debugging connectivity issue across, you must allow echo and echo reply. However, keep in mind that some ICMP packets are dangerous, and allowing all ICMP packets always creates some level of security risk. So, if you are running a version older than 12.2(11) YU or 12.2 (15) T, allow the necessary ICMP packets for the return traffic on the incoming interface (outside) of the unprotected network. Example 5-19 shows commonly used ICMP services on the ACL applied as inbound on the outside interface.