Cisco ASA and PIX Firewall Handbook

1-2. Inspection Engines for ICMP, UDP, and TCP

The following sections outline the basic stateful inspection of each type of applicable protocol.

ICMP Inspection

ICMP is a connectionless protocol, because it allows one host to send another host a message without expecting a reply. Because of this, a firewall can't examine or track the state of ICMP traffic between two machines. However, beginning with PIX 7.x, a firewall can track the state of ICMP packet exchanges, offering an approximation of a stateful inspection.

A firewall must rely on some of its basic mechanisms for inspecting ICMP traffic—the xlate table and ACLs. Note that no connections are used with ICMP, so no conn entries are created for ICMP traffic. Figure 1-5 shows how a Cisco ...

Get Cisco ASA and PIX Firewall Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Cisco ASA and PIX Firewall Handbook by Dave Hucaby

1-2. Inspection Engines for ICMP, UDP, and TCP

ICMP Inspection

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly