topic Block ping to ASA but allow from certain IPs in Network Security

Block ping to ASA but allow from certain IPs

Brad_Shawh — Mon, 20 Jul 2020 19:17:34 GMT

I am looking for a simple setup

1) Nobody should be able to ping my ASA's outside interface except (an Object group of) whitelisted IPs

2) We should be able to ping everything from inside to outside

How do I achieve this?

Thank you very much in advance.

Re: Block ping to ASA but allow from certain IPs

Rob Ingram — Mon, 20 Jul 2020 19:20:42 GMT

Hi,

1. Use the command "icmp { permit | deny } ip_address net_mask [ icmp_type ] if_name" to configure ICMP rules to ping the ASA's interface.

Reference:-

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html

2. Use command fixup protcol icmp to enable ICMP inspection for traffic through the ASA (from inside to outside).

HTH

Re: Block ping to ASA but allow from certain IPs

balaji.bandi — Mon, 20 Jul 2020 19:23:52 GMT

icmp permit any outside - allow ping outside

then create an ACL to allow only those IP addresses.

Re: Block ping to ASA but allow from certain IPs

Brad_Shawh — Mon, 20 Jul 2020 19:26:41 GMT

Could you please elaborate with an example? Thank you.

Re: Block ping to ASA but allow from certain IPs

Rob Ingram — Mon, 20 Jul 2020 19:31:30 GMT

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:

ciscoasa(config)# icmp permit host 172.16.2.15 echo-reply outside 
ciscoasa(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside 
ciscoasa(config)# icmp permit any unreachable outside

Re: Block ping to ASA but allow from certain IPs

balaji.bandi — Mon, 20 Jul 2020 19:43:45 GMT

# access-list ACL_IN permit icmp any any echo-reply
# access-list ACL_IN permit icmp any any echo
# access-list ACL_IN permit icmp any any time-exceeded
# access-group ACL_IN in interface outside

create ACL_IN with the IP address in it.

Re: Block ping to ASA but allow from certain IPs

Brad_Shawh — Wed, 22 Jul 2020 15:48:44 GMT

Would access list work with 'to the box' traffic?

I created the following ACL, please let me know if this is fine

icmp permit any echo-reply outside << ASA can ping any IP on Internet
icmp permit host a.b.c.d outside << a.b.c.d can ping ASA's Outside Interface
icmp deny any outside << Nobody can ping ASA' Outside Interface

*With this config, all my inside hosts are able to ping internet, which is fine.

Re: Block ping to ASA but allow from certain IPs

Rob Ingram — Wed, 22 Jul 2020 16:05:11 GMT

No. An access list assigned to an interface e.g. "access-list OUTSIDE_IN pemit|deny icmp any any" denies or pemits traffic through the ASA not to the ASA's interface.

The configuration you provided with the command starting icmp ....... controls traffic to the ASA's interface, and has nothing to do with allowing inside hosts to ping the internet.

Re: Block ping to ASA but allow from certain IPs

Brad_Shawh — Wed, 22 Jul 2020 17:01:23 GMT

Thank you,

Please ignore my point about 'through the box' traffic.

So, the configuration I pasted is good enough, correct?

Two questions

1) I assume there is no way to use object group in this 'icmp' acl? The best way to add entries is use ASDM and use 'insert' feature, correct?

2) I tried using control plane ACL to deny ICMP traffic, it didn't work. Does control place ACL not work with ICMP?

Re: Block ping to ASA but allow from certain IPs

Rob Ingram — Wed, 22 Jul 2020 17:10:05 GMT

No, unfortunately you cant use an object with the "icmp" acl.

You would need to use the icmp command to control icmp traffic destinated to the ASA. A control plane ACL (rarely used IMO) could be used to control inbound VPN traffic (IPSec or SSL).

Re: Block ping to ASA but allow from certain IPs

Brad_Shawh — Wed, 22 Jul 2020 17:25:47 GMT

Thank you very much 🙂