Internet Control Management Protocol (ICMP) is a network protocol that provides information about a network and reports errors
in the network. Network administrators use ICMP to debug network connectivity issues. To guard against potential intruders
using ICMP to discover the topology of a private network, ICMPv4 messages can be blocked from entering a private network;
however, network administrators may then be unable to debug the network.
You can configure Cisco routers to use access control lists (ACLs) to either completely allow or deny ICMPv4 messages. When
using ACLs for ICMPv4 messages, message
inspection has precedence over the configured allow or deny actions.
ICMPv4 messages that use the IP protocol can be categorized into the following two types:
The following ICMPv4 packet types are supported:
Table 1. ICMPv4 Packet Types
Packet Type
|
Name
|
Description
|
0
|
Echo Reply
|
Reply to an echo request (type 8).
|
3
|
Unreachable
|
Possible reply to any request.
|
8
|
Echo Request
|
Ping or a traceroute request.
|
11
|
Time Exceeded
|
Reply if the time-to-live (TTL) size of a packet is zero.
|
13
|
Timestamp Request
|
Request.
|
14
|
Timestamp Reply
|
Reply to a timestamp request (type 13).
|
ICMPv4 packet types 0 and 8 are used to ping a destination; the source sends out an Echo Request packet and the destination
responds with an Echo Reply packet. Packet types 0, 8, and 11 are used for ICMPv4 traceroute (that is, Echo Request packets
that are sent start with a TTL size of 1) and the TTL size is incremented for each hop. Intermediate hops respond to the Echo
Request packet with a Time Exceeded packet and the final destination responds with an Echo Reply packet.
If an ICMPv4 error packet is an embedded packet, the embedded packet is processed according to the protocol and the policy
configured for the packet. For example, if the embedded packet is a TCP packet, and a drop action is configured for the packet,
the packet is dropped even if ICMPv4 has configured a pass action.
The following scenario describes how ICMPv4 packets pass through the firewall:
-
An ICMPv4 packet arrives at the source interface. The firewall uses the source and destination addresses of the packet without
any change for packet inspection. The firewall uses IP addresses (source and destination), the ICMP type, and the protocol
for session key creation and lookup.
-
The packet passes the firewall inspection.
-
Return traffic comes from the destination interface and, based on the ICMPv4 message type, the firewall creates the session
lookup key.
-
- If the reply message is an informational message, the firewall uses the source and destination addresses from the packet without
any change for packet inspection. Here, the destination port is the ICMPv4 message request type.
- If the reply message is an ICMPv4 error message, the firewall uses the payload packet present in the ICMP error packet to
create the session key for session lookup.
-
If the firewall session lookup is successful, the packet passes the firewall inspection.