Shulou(Shulou.com)06/01 Report--

Add ICMP to the ASA inspection engine

The default detection engine for ASA is configured as follows.

Class-map inspection_default

Match default-inspection-traffic

Policy-map type inspect dns preset_dns_map

Parameters

Message-length maximum 512

Policy-map global_policy

Class inspection_default

Inspect dns preset_dns_map

Inspect ftp

Inspect h423 h325

Inspect h423 ras

Inspect rsh

Inspect rtsp

Inspect esmtp

Inspect sqlnet

Inspect skinny

Inspect sunrpc

Inspect xdmcp

Inspect sip

Inspect netbios

Inspect tftp

Service-policy global_policy global

By default, ICMP is not detected, so ICMP echo reply from a low security level to a high security level is rejected, even if it is a response from ICMP echo request.

The ICMP inspection engine allows ICMP traffic to be detected like TCP and UDP traffic. Make sure that each ICMP echo request can only have one response, while ensuring that the serial number is correct.

If there is no ICMP detection engine, it is generally not recommended to use ACL to allow ICMP to traverse ASA, because there is a risk of network *.

The following configuration adds ICMP to the detection engine.

Policy-map global_policy

Class inspection_default

Inspect icmp

After the configuration is completed, the low security level interface can be ping from the high security level interface, and the ICMP can be statefully detected at the same time.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.