Many network administrators feel that ICMP is a security risk, and should therefore always be blocked. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. ICMP has many important features; some are useful for troubleshooting, while some are essential for a network to function correctly. This procedure will disable ICMP on the IPS management interface.
2. Check to see if ICMP is allowed by issuing the "show host" command:
- The output will resemble the following:
TP10# show host3. To configure the IPS to no longer respond to ICMP traffic by issuing the following command:
Host IP = 192.168.2.127/24
IPv6 State = Disabled
IPv6 Autoconfig = Disabled
IPv4 Default Gateway = 192.168.2.1
Host Name = TP10
Location = 224E
FIPS Active Mode = Disable
FIPS Cfg Mode = Disable
ICMP Packets = Not Blocked
IP Filters = 0
conf t host ip-filter deny any icmp
4. Check to see if ICMP is blocked by re-issuing he "show host" command:
- The output will resemble the following:
TP10# show host5. To return to the default setting, issue the following CLI command:
Host IP = 192.168.2.127/24
IPv6 State = Disabled
IPv6 Autoconfig = Disabled
IPv4 Default Gateway = 192.168.2.1
Host Name = TP10
Location = 224E
FIPS Active Mode = Disable
FIPS Cfg Mode = Disable
ICMP Packets = Blocked
IP Filters = 0
conf t host ip-filter permit any icmp
Note: This filter can only be used with the wildcard "any" to specify the ip-network. It is not possible to specify ranges that are able to ping the IPS and other ranges that cannot ping the IPS.