https://community.cisco.com/t5/network-security/why-permit-icmp-any-any-echo-reply-apply-to-inside-in-direction/m-p/2652597#M196930 <P><EM>why "permit icmp any any echo-reply" in inside in direction is useless ?</EM></P><P><EM>why must need "permit ip any any" in inside in direction in order to ping outside?</EM></P><P>It all depends on the direction of the ping and from where it was initiated.</P><P>The following assumes your acls are applied inbound on the interfaces and you do not have ICMP inspection enabled.</P><P>If you have an acl applied to the inside interface (which you don't necessarily need by the way) and the ping was started from the outside then you would need an echo-reply entry in your inside&nbsp;acl assuming you did not have a permit ip any any.</P><P>You don't need a permit ip any any to start the ping from inside but you would need an echo entry if you had an acl applied to inside interface.&nbsp;</P><P>Note that is echo not echo-reply.</P><P>You have to think of it in terms of the direction of the packet as to what you need to match.</P><P>If you want to be able to start the ping from both sides without using permit ip any any in either of your acls then you need an echo and an echo-reply entry in each acl.</P><P>Jon</P><P>&nbsp;</P> Thu, 19 Feb 2015 19:02:38 GMT Jon Marshall 2015-02-19T19:02:38Z https://community.cisco.com/t5/network-security/why-permit-icmp-any-any-echo-reply-apply-to-inside-in-direction/m-p/2652596#M196929 <P>when i&nbsp;</P><P>no access-list 100 permit ip any any</P><P>in inside, inside can not ping outside</P><P>then</P><P>i&nbsp;no access-list 100 extended permit icmp any any echo-reply log</P><P>inside can ping outside due to&nbsp;access-list 100 permit ip any any</P><P>&nbsp;</P><P>now, below code, can make inside can ping outside and outside can not ping inside, it is correct.</P><P>is "permit icmp any any echo-reply log" mainly used for outside in direction, not inside in direction in real practice?</P><P>but, i do not understand that</P><P>why "permit icmp any any echo-reply" in inside in direction is useless ?</P><P>why must need "permit ip any any" in inside in direction in order to ping outside?</P><P>&nbsp;</P><P>(Essential, with permit ip inside can ping outside)<BR />conf t<BR />no access-list 100 extended permit icmp any any echo-reply log<BR />access-list 100 extended permit tcp any any log<BR />access-list 100 permit ip any any<BR />access-group 100 in interface inside<BR />end</P><P>(Essential, without permit ip, outside can not ping to inside)<BR />conf t<BR />access-list 200 extended permit icmp any any echo-reply log<BR />access-list 200 extended permit tcp any any log<BR />access-group 200 in interface outside<BR />end</P> Tue, 26 Mar 2019 00:55:00 GMT https://community.cisco.com/t5/network-security/why-permit-icmp-any-any-echo-reply-apply-to-inside-in-direction/m-p/2652596#M196929 martlee2 2019-03-26T00:55:00Z https://community.cisco.com/t5/network-security/why-permit-icmp-any-any-echo-reply-apply-to-inside-in-direction/m-p/2652597#M196930 <P><EM>why "permit icmp any any echo-reply" in inside in direction is useless ?</EM></P><P><EM>why must need "permit ip any any" in inside in direction in order to ping outside?</EM></P><P>It all depends on the direction of the ping and from where it was initiated.</P><P>The following assumes your acls are applied inbound on the interfaces and you do not have ICMP inspection enabled.</P><P>If you have an acl applied to the inside interface (which you don't necessarily need by the way) and the ping was started from the outside then you would need an echo-reply entry in your inside&nbsp;acl assuming you did not have a permit ip any any.</P><P>You don't need a permit ip any any to start the ping from inside but you would need an echo entry if you had an acl applied to inside interface.&nbsp;</P><P>Note that is echo not echo-reply.</P><P>You have to think of it in terms of the direction of the packet as to what you need to match.</P><P>If you want to be able to start the ping from both sides without using permit ip any any in either of your acls then you need an echo and an echo-reply entry in each acl.</P><P>Jon</P><P>&nbsp;</P> Thu, 19 Feb 2015 19:02:38 GMT https://community.cisco.com/t5/network-security/why-permit-icmp-any-any-echo-reply-apply-to-inside-in-direction/m-p/2652597#M196930 Jon Marshall 2015-02-19T19:02:38Z