Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Allow only echo replies

I have a set of devices that should not be able to initiate any traffic, but may respond to traffic sent to them.  Their role has one ACL - denyall.  However, I've found that I can't ping these devices until I apply a session ACL with icmp allowed.  Doing this allows the echo-reply and the device to initiate a ping to the network which I do not want.  To try and fix this, I created an extended ACL that only allows echo-replies from these devices, but it appears as though I can't apply it to the user role.

 

What options do I have to keep these devices from initiating traffic to the inside and only allow responses?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Allow only echo replies

How about any user icmp permit?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Allow only echo replies

Maybe I'm misunderstanding how session ACLs work, but wouldn't that allow the devices to initiate ICMP traffic towards the network when I only want return ICMP traffic (echo-replies)?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Allow only echo replies


thecompnerd wrote:

Maybe I'm misunderstanding how session ACLs work, but wouldn't that allow the devices to initiate ICMP traffic towards the network when I only want return ICMP traffic (echo-replies)?


You can try this:

 

user any icmp drop

any user icmp permit

 

I am not sure about the stateful aspect of ICMP, but please try.  It should allow replies to the second statement, but not allow any icmp be initiated based on the first.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Allow only echo replies

Thanks, I'll give that a try.

 

My experience with Cisco firewalls has been that ICMP return traffic is not allowed by default, so you either allow it with an ACL or ICMP inspection.  Naturally, I'm trying to apply the same thinking to Aruba which may not be applicable.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Allow only echo replies

It is similar, but different ;)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Allow only echo replies

I simplified the session acl to this:

 

user any any deny

any user any permit

 

I did this so that all other devices on the network can initiate communication with the printers, but not vice-versa.  I made sure I received the role with this acl applied and was not able to initiate communication to the inside, but could reply to traffic.  This is what I wanted. I'm fairly confident this is secure.  Would you agree?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Allow only echo replies

It it works for you, then it is!  Glad you found a solution...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: