https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4686725#M1093356 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1404070">@Drader</a> #1 and #3 turn on ICMP stateful inspection globally. The command "fixup protocol icmp" (#3) is just a shortcut to enable icmp inspection under the global policy (#1) - both achieve the same thing.</P> <P>#2 explictly permits the return ICMP traffic on the ACL, usually this is inbound on the outside interface. You would use the ACL if you didn't want to inspect ICMP. The ACL can of course be configured granularly, so explictly permitting ICMP traffic for certain hosts/subnets, and denying for the rest.</P> <P>&nbsp;</P> Wed, 14 Sep 2022 07:06:00 GMT Rob Ingram 2022-09-14T07:06:00Z https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4685770#M1093354 <P>Hello, I am new to networking and was wondering if anyone can tell me what is the difference (like in what situation will I need to use them) amongst the following commands for cisco ASA:</P><P>1. inspect icmp - for policy-map global_policy</P><P>2. access-list icmp extended permit icmp any any (and using access group after)</P><P>3. fixup protocol icmp</P><P>Thank you in advance!</P> Wed, 14 Sep 2022 06:05:01 GMT https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4685770#M1093354 Drader 2022-09-14T06:05:01Z https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4686721#M1093355 <P>1st and 3rd commands using to inform firewall to treat ICMP traffic as a statefull way. 2nd command is allowing ICMP traffic using ACL applied to respect direction and interface.</P> Wed, 14 Sep 2022 06:51:08 GMT https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4686721#M1093355 Kasun Bandara 2022-09-14T06:51:08Z https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4686725#M1093356 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1404070">@Drader</a> #1 and #3 turn on ICMP stateful inspection globally. The command "fixup protocol icmp" (#3) is just a shortcut to enable icmp inspection under the global policy (#1) - both achieve the same thing.</P> <P>#2 explictly permits the return ICMP traffic on the ACL, usually this is inbound on the outside interface. You would use the ACL if you didn't want to inspect ICMP. The ACL can of course be configured granularly, so explictly permitting ICMP traffic for certain hosts/subnets, and denying for the rest.</P> <P>&nbsp;</P> Wed, 14 Sep 2022 07:06:00 GMT https://community.cisco.com/t5/network-security/enabling-icmp-through-asa-firewalls/m-p/4686725#M1093356 Rob Ingram 2022-09-14T07:06:00Z