https://community.cisco.com/t5/network-security/icmp-question/m-p/916792#M1000420 <HTML><HEAD></HEAD><BODY><P>Amin</P><P></P><P>I do not believe that a blanket deny of all ICMP is ever a best practice. If there are some ICMP messages that you believe are security weaknesses then block those specific messages. But there are many ICMP messages that have useful (sometimes almost necessary) information that you would give up if you did a deny icmp any any. For example blocking the ICMP message about Fragmentation required but DF set is what frequently breaks Path MTU Discovery.</P><P></P><P>HTH</P><P></P><P>Rick </P></BODY></HTML> Mon, 24 Sep 2007 13:56:40 GMT Richard Burts 2007-09-24T13:56:40Z https://community.cisco.com/t5/network-security/icmp-question/m-p/916791#M1000419 <P>Hello:</P><P>I just wanted to ask opinion, would denying ICMP from host inside the network to the Internet be considered a Best Practice? If so, could someone tell me why.</P><P>Thanks</P><P></P><P>Amin</P> Mon, 11 Mar 2019 11:15:57 GMT https://community.cisco.com/t5/network-security/icmp-question/m-p/916791#M1000419 amohammed01 2019-03-11T11:15:57Z https://community.cisco.com/t5/network-security/icmp-question/m-p/916792#M1000420 <HTML><HEAD></HEAD><BODY><P>Amin</P><P></P><P>I do not believe that a blanket deny of all ICMP is ever a best practice. If there are some ICMP messages that you believe are security weaknesses then block those specific messages. But there are many ICMP messages that have useful (sometimes almost necessary) information that you would give up if you did a deny icmp any any. For example blocking the ICMP message about Fragmentation required but DF set is what frequently breaks Path MTU Discovery.</P><P></P><P>HTH</P><P></P><P>Rick </P></BODY></HTML> Mon, 24 Sep 2007 13:56:40 GMT https://community.cisco.com/t5/network-security/icmp-question/m-p/916792#M1000420 Richard Burts 2007-09-24T13:56:40Z https://community.cisco.com/t5/network-security/icmp-question/m-p/916793#M1000421 <HTML><HEAD></HEAD><BODY><P>I would think this would not be a best practice. How would you troubleshoot connectivity issues? For example, you can't connect to <A class="jive-link-custom" href="http://www.cisco.com." target="_blank">www.cisco.com.</A> Is Cisco's site down, is you LAN down, is your WAN down, is your ISP down, is your DNS server down? How would you answer these questions if you deny ICMP? If you are thinking of just blocking ICMP for Joe user, I don't think that you would gain anything. You can put QOS on routers to throttle icmp traffic, maybe that is the route <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> to go. Or, you need to be looking at bandwidth issues from Skype, Bit Torrent, and other application-layer filtering.</P></BODY></HTML> Mon, 24 Sep 2007 14:22:13 GMT https://community.cisco.com/t5/network-security/icmp-question/m-p/916793#M1000421 murray-davis 2007-09-24T14:22:13Z