Cisco 7604 Configuration Guide - Page 531
Allowing ICMP to and from the FWSM
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 531 highlights
Chapter 23 Configuring Management Access Allowing ICMP to and from the FWSM Step 7 Step 8 List multiple transform sets in order of priority (highest priority first). You can specify up to six transform sets. To specify the interface at which you want this tunnel to terminate, enter the following command: hostname(config)# crypto map crypto_map_name interface interface_name You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site tunnel and VPN clients on the same interface, they need to share the same crypto map name. This command must be entered after all other crypto map commands. If you change any crypto map settings, remove this command with the no prefix, then reenter it. To allow Telnet or SSH access, see the "Allowing Telnet Access" section on page 23-1 and the "Allowing SSH Access" section on page 23-2. For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use Telnet on the outside interface (209.165.200.225). hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des hostname(config)# isakmp policy 1 group 2 hostname(config)# isakmp policy 1 hash sha hostname(config)# isakmp enable outside hostname(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac hostname(config)# isakmp key 7mfi02lirotn address 209.165.200.223 hostname(config)# access-list TUNNEL extended permit ip host 209.165.200.225 209.165.201.0 255.255.255.224 hostname(config)# crypto map telnet_tunnel 2 ipsec-isakmp hostname(config)# crypto map telnet_tunnel 1 match address TUNNEL hostname(config)# crypto map telnet_tunnel 1 set peer 209.165.202.129 hostname(config)# crypto map telnet_tunnel 1 set transform-set vpn hostname(config)# crypto map telnet_tunnel interface outside hostname(config)# telnet 209.165.201.0 255.255.255.224 outside hostname(config)# telnet timeout 30 Allowing ICMP to and from the FWSM By default, ICMP (including ping) is not allowed to an FWSM interface (or through the FWSM. To allow ICMP through the FWSM, see Chapter 15, "Permitting or Denying Network Access."). ICMP is an important tool for testing your network connectivity; however, it can also be used to attack the FWSM or your network. We recommend allowing ICMP during your initial testing, but then disallowing it during normal operation. See the "Rule Limits" section on page A-6 for information about the maximum number of ICMP rules allowed for the entire system. To permit or deny address(es) to reach an FWSM interface with ICMP (either from a host to the FWSM, or from the FWSM to a host, which requires the ICMP reply to be allowed back), enter the following command: hostname(config)# icmp {permit | deny} {host ip_address | ip_address mask | any} [icmp_type] interface_name If you do not specify an icmp_type, all types are identified. You can enter the number or the name. To control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the "ICMP Types" section on page E-15 for a list of ICMP types. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-9