48-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter48 Configuring Device Access Settings on Firewall Devices
Configuring ICMP
Configuring ICMP
Use the table on the ICMP page to manage Internet Control Message Protocol (ICMP) rules, which
specify the addresses of all hosts or networks that are allowed or denied ICMP access to specific
interfaces on the security device.
The ICMP rules control ICMP traffic that terminates on any device interface. If no ICMP control list is
configured, the device accepts all ICMP traffic that terminates at any interface, including the outside
interface. However, by default, the device does not respond to ICMP echo requests directed to a
broadcast address.
It is recommended that permission is always granted for the ICMP Unreachable message (type 3).
Denying ICMP Unreachable messages disables ICMP Path MTU discovery, which can halt IPsec and
PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If an ICMP control list is configured, the device uses a first match to the ICMP traffic, followed by an
implicit deny all. That is, if the first matched entry is a permit entry, the processing of the ICMP packet
continues. If the first matched entry is a deny entry, or an entry is not matched, the device discards the
ICMP packet and generates a syslog message. If an ICMP control list is not configured, a permit rule is
assumed in all cases.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy
selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from
the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new
one.
IP Address/Netmask Enter the IP address and netmask, separated by a forward slash (“/”) of
the host or network that is permitted to establish an HTTP connection
with the device. Alternately, you can click Select to select a
Networks/Hosts object.
Enable Authentication
Certificate
Select this option to require user certificate authentication in order to
establish an HTTP connection. On ASA and PIX 8.0(2)+ devices, you
can specify the authentication Port.
Redirect port The port on which the security appliance listens for HTTP requests,
which it then redirects to HTTPS. To disable HTTP redirect, ensure that
this field is blank.
Table48-2 HTTP Configuration Dialog Box (Continued)
Element Description