https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586139#M203556 <P>Been wresting with this one for a bit not.</P><P>&nbsp;</P><P>Running IOS 9.2 on a ASA5505</P><P>&nbsp;</P><P>Can anyone tell me how I could accomplish this? I know how to&nbsp;disable ping on the outside interface using icmp deny any outside but then when I try to ping an external ip the replies seem to never come back.</P> Tue, 12 Mar 2019 05:07:01 GMT scotteberl 2019-03-12T05:07:01Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586139#M203556 <P>Been wresting with this one for a bit not.</P><P>&nbsp;</P><P>Running IOS 9.2 on a ASA5505</P><P>&nbsp;</P><P>Can anyone tell me how I could accomplish this? I know how to&nbsp;disable ping on the outside interface using icmp deny any outside but then when I try to ping an external ip the replies seem to never come back.</P> Tue, 12 Mar 2019 05:07:01 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586139#M203556 scotteberl 2019-03-12T05:07:01Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586140#M203557 <P>Denying ICMP packets wholesale isn't a practice I recommend, only because you're disabling essential control packets along with ping requests. Instead of turning it off with "icmp deny any outside", try putting something like "deny icmp any any echo" in the ACL for your outside interface. This will prevent external ping traffic, but allow other ICMP to pass... including replies to ping requests generated by internal devices.</P> Fri, 21 Nov 2014 02:46:26 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586140#M203557 ghostinthenet 2014-11-21T02:46:26Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586141#M203558 <P>Thanks for the reply Jody. I ended up getting it working using the following configuration items:</P><P>&nbsp;</P><P>icmp permit any echo-reply OUTSIDE<BR />icmp deny any echo OUTSIDE</P><P>&nbsp;</P> Fri, 21 Nov 2014 03:44:29 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586141#M203558 scotteberl 2014-11-21T03:44:29Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586142#M203559 <P>That will work, too.</P><P>Also, it's best to make sure you're permitting all of the other ICMP types other than echo&nbsp;so that you don't lose control functions like path mtu discovery, network unreachable, traceroute, &amp;c.</P> Fri, 21 Nov 2014 05:56:26 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586142#M203559 ghostinthenet 2014-11-21T05:56:26Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586143#M203560 <P>So you don't see allowing ping to the outside interface of the ASA as a security concern?</P> Fri, 21 Nov 2014 21:34:50 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586143#M203560 scotteberl 2014-11-21T21:34:50Z https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586144#M203561 <P>Personally, no... but that's up to you.</P><P>What I'm saying is that even if you&nbsp;<EM>are</EM>&nbsp;blocking pings to your ASA, you should make sure that <EM>other</EM> ICMP traffic is permitted in. These are used for various Internet control functions and you're potentially limiting functionality and troubleshooting capabilities by blocking them.</P> Fri, 21 Nov 2014 22:28:08 GMT https://community.cisco.com/t5/network-security/deny-ping-on-outside-interface-while-allowing-inside-hosts-to/m-p/2586144#M203561 ghostinthenet 2014-11-21T22:28:08Z