https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678544#M190456 <P>&nbsp;</P><P>&nbsp;</P><P>config t<BR />(config)# policy-map global_policy<BR />(config-pmap)# class inspection_default<BR />(config-pmap-c)# no inspect icmp<BR />(config-pmap-c)# exit<BR />(config-pmap)# exit<BR />(config)# ping <A href="https://community.cisco.com/www.google.com" target="_blank">www.google.com</A><BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 216.58.196.100, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/90 ms</P><P>&nbsp;</P><P>ASA gives logs in ASDM as follows:</P><P>An ICMP session was established in the fast-path when stateful ICMP was enabled using the <FONT color="Black"><B>inspect icmp </B></FONT>command. &nbsp;</P><P>&nbsp;</P><P>I have applied ACL &nbsp;to block&nbsp;any any ip and any any icmp&nbsp;&nbsp; on outside interface. Is this a normal behaviour of ASA. How do I block icmp ?</P> Tue, 12 Mar 2019 06:08:42 GMT shoaib sheikh 2019-03-12T06:08:42Z https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678544#M190456 <P>&nbsp;</P><P>&nbsp;</P><P>config t<BR />(config)# policy-map global_policy<BR />(config-pmap)# class inspection_default<BR />(config-pmap-c)# no inspect icmp<BR />(config-pmap-c)# exit<BR />(config-pmap)# exit<BR />(config)# ping <A href="https://community.cisco.com/www.google.com" target="_blank">www.google.com</A><BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 216.58.196.100, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/90 ms</P><P>&nbsp;</P><P>ASA gives logs in ASDM as follows:</P><P>An ICMP session was established in the fast-path when stateful ICMP was enabled using the <FONT color="Black"><B>inspect icmp </B></FONT>command. &nbsp;</P><P>&nbsp;</P><P>I have applied ACL &nbsp;to block&nbsp;any any ip and any any icmp&nbsp;&nbsp; on outside interface. Is this a normal behaviour of ASA. How do I block icmp ?</P> Tue, 12 Mar 2019 06:08:42 GMT https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678544#M190456 shoaib sheikh 2019-03-12T06:08:42Z https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678545#M190461 <P>Hi,</P><P>Normal ACL would only block traffic which is through the box.</P><P>This ping is initiated from the ASA device interface so you would need to use the "ICMP deny" command.</P><P>Refer:-</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i1.html#pgfId-1779047</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Thu, 18 Jun 2015 08:01:20 GMT https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678545#M190461 Vibhor Amrodia 2015-06-18T08:01:20Z https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678546#M190466 <P>Thanks Vibhor .</P> Mon, 22 Jun 2015 03:57:42 GMT https://community.cisco.com/t5/network-security/blocking-icmp-through-asa/m-p/2678546#M190466 shoaib sheikh 2015-06-22T03:57:42Z