Chapter 2 Enabling Remote Access to the ACE
Enabling ICMP Messages to the ACE
2-20
Cisco 4700 Series Application Control Engine Appliance Administration Guide
OL-11157-01
See the “Configuring Remote Network Management Traffic Services” section for
details on configuring a network management class map, policy map, and service
poli
cy for the ACE.
To allow ICMP messages to pass through th
e ACE, configure an ICMP ACL to
permit or deny network connections based on the ICMP type (for example, echo,
echo-reply, or unreachable). See the Cisco 4700 Series Application Control
Engine Appliance Security Configuration Guide for details.
Note If you want only to allow the ACE to ping a host (and allow the echo reply back
to the interface), but not allow hosts to ping the ACE, enable the ICMP application
protocol inspection function instead of defining a class map and policy map. See
the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide for details.
For example, to allow the ACE to recei
ve ICMP pings, enter the following
commands:
host1/Admin(config)# class-map type management match-all
ICMP-ALLOW_CLASS
host1/Admin(config-cmap-mgmt)# de
scription Allow ICMP packets
host1/Admin(config-cmap-mgmt)# ma
tch protocol icmp source-address
172.16.10.0 255.255.255.254
host1/Admin(config-cmap-mgmt)# ex
it
host1/Admin(config)# policy-map t
ype management first-action
ICMP_ALLOW_POLICY
host1/Admin(config-pmap-mgmt)# cl
ass ICMP-ALLOW_CLASS
host1/Admin(config-pmap-mgmt-c)# permit
host1/Admin(config-pmap-mgmt-c)# exit
host1/Admin(config-pmap-mgmt)# ex
it
host1/Admin(config)# interface vl
an 50
host1/Admin(config-if)# ip addres
s 172.16.1.100 255.255.0.0
host1/Admin(config-if)# service-p
olicy input ICMP_ALLOW_POLICY
To Next Page
Loading...
