Hello c-nsp, I find the ASA (v 7.2) doco rather thin about enabling ICMP inspection. Relative to the default inspection settings which are:
-- class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy global_policy global -- I guess the following should work, but I'm unsure: -- class-map DFI_INSPECTION_DEFAULT match any <--- !!! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map DFI_GLOBAL_POLICY class DFI_INSPECTION_DEFAULT inspect icmp <--- !!! inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy DFI_GLOBAL_POLICY global -- Anyone more experienced can confirm or modify my config? Thanks! -- Philippe Strauss av. de Beaulieu 25 1004 Lausanne http://philou.ch _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
