How to setup ICMP rule on SA4500 via Access Contro...

Cameron1_ · ‎06-27-2014

How do I allow ping on Access Control?

Under - Users > Resource Policies > VPN Tunneling > Access Control

I have the option to allow all icmp using the syntax of "icmp://*:*" but I want to limit access to only ping (icmp type 8 echo and type 0 echo reply) and prevent all other types (traceroute etc.)

Here are the examples from the system which are quite limited in number and type...

Examples:
tcp://*:1-1024
tcp://*:80,443
udp://10.10.10.0/24:*
icmp://10.10.10.10/255.255.255.255
10.10.10.0/24

Here is a list of ICMP Types - copied from: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Type	Name	Reference
0	Echo Reply	[RFC792]
1	Unassigned
2	Unassigned
3	Destination Unreachable	[RFC792]
4	Source Quench (Deprecated)	[RFC792][RFC6633]
5	Redirect	[RFC792]
6	Alternate Host Address (Deprecated)	[RFC6918]
7	Unassigned
8	Echo	[RFC792]
9	Router Advertisement	[RFC1256]
10	Router Solicitation	[RFC1256]
11	Time Exceeded	[RFC792]
12	Parameter Problem	[RFC792]
13	Timestamp	[RFC792]
14	Timestamp Reply	[RFC792]
15	Information Request (Deprecated)	[RFC792][RFC6918]
16	Information Reply (Deprecated)	[RFC792][RFC6918]
17	Address Mask Request (Deprecated)	[RFC950][RFC6918]
18	Address Mask Reply (Deprecated)	[RFC950][RFC6918]
19	Reserved (for Security)	[Solo]
20-29	Reserved (for Robustness Experiment)	[ZSu]
30	Traceroute (Deprecated)	[RFC1393][RFC6918]
31	Datagram Conversion Error (Deprecated)	[RFC1475][RFC6918]
32	Mobile Host Redirect (Deprecated)	[David_Johnson][RFC6918]
33	IPv6 Where-Are-You (Deprecated)	[Simpson][RFC6918]
34	IPv6 I-Am-Here (Deprecated)	[Simpson][RFC6918]
35	Mobile Registration Request (Deprecated)	[Simpson][RFC6918]
36	Mobile Registration Reply (Deprecated)	[Simpson][RFC6918]
37	Domain Name Request (Deprecated)	[RFC1788][RFC6918]
38	Domain Name Reply (Deprecated)	[RFC1788][RFC6918]
39	SKIP (Deprecated)	[Markson][RFC6918]
40	Photuris	[RFC2521]
41	ICMP messages utilized by experimental mobility protocols such as Seamoby	[RFC4065]
42-252	Unassigned
253	RFC3692-style Experiment 1	[RFC4727]
254	RFC3692-style Experiment 2	[RFC4727]
255	Reserved	[JBP]

Dirk01_ · ‎07-23-2014

Same issue here, do you got in the meantime a solution ?

CaseyH_ · ‎07-23-2014

Out of curiosity, what's the problem being resolved by allowing PING through to all internal addresses?

(seriously, not trying to troll, just curious on the "why" part)

flip_pipe_ · ‎07-24-2014

Hi,

Like Cameron, we also have a rule allowing all ICMP to our networks. In our case is because the lack of logging in SA regarding L3 connectivity. So with this, we guarantee if one machine doesn't ping, the connectivity problem it is not in SA, but somewhere in the network, which saves some time in troubleshooting. The other side of the coin, is to open attack vector to our network. I also would like to close the ICMP to some codes and not all open.

Regards,

Dirk01_ · ‎07-24-2014

Yes, we want to restrict the ICMP to the Ping (ICMP type:8, code:0). From security point of view this could be a good idea.

To restrict the ICMP service in a firewall is quite commen.

Still the same question is this also possible in the Appliance ?

How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)

Re: How to setup ICMP rule on SA4500 via Access Control to allow only echo/ping (not other icmp types)