topic Denying ICMP on outside interface of ASA in Network Security

Denying ICMP on outside interface of ASA

mahesh18 — Tue, 12 Mar 2019 00:01:49 GMT

Hi Everyone,

On ASA ASDM mode i config the ICMP rule

any outside deny any IP any Mask.

So basically i am denying ICMP on outiside interface of ASA from any IP address and subnet mask.

After doing this here is results

1> From ASA ping to inside interface and outside interface IP address works fine.

Need to know why -- how traffic flows?

2>From ASA any ping to internet does not work.

3>From PC i am able to ping any internet IP address.Need to know why ping works now?

Many thanks

Mahesh

Denying ICMP on outside interface of ASA

Harish Balakrishnan — Mon, 01 Oct 2012 05:27:18 GMT

Hello Mahesh

Is it possible to share your config ?

regards

Harish

Denying ICMP on outside interface of ASA

cadet alain — Mon, 01 Oct 2012 08:45:20 GMT

Hi,

you must differentiate forwarded traffic and traffic destined to or originated by the ASA.

In your case you denied ICMP messages destined to the outside interface,not ICMP messages going through your ASA.

Regards.

Alain

Don't forget to rate helpful posts.

Denying ICMP on outside interface of ASA

mahesh18 — Mon, 01 Oct 2012 14:09:15 GMT

Hi Alain.

When you say forwarded traffic is this traffic going from inside of ASA to outside world?

What is traffic originated by ASA ?if you can explain that in detail please?

When i ping from PC attached to inside interface to outside host then the return traffic comes back to outside interface

but it allows that traffic as it is for inside interface not outside interface right ?

When i ping from ASA to outside world then source traffic is originated by outside world and it is denied right?

Regards

MAhesh

Denying ICMP on outside interface of ASA

cadet alain — Mon, 01 Oct 2012 14:12:40 GMT

Hi,

post screenshot of what you did exactly or post show run to see what you configured.

Regards.

Alain

Don't forget to rate helpful posts.

Denying ICMP on outside interface of ASA

mahesh18 — Mon, 01 Oct 2012 14:26:55 GMT

Hi Alain,

Here is what i did

ciscoasa(config)# icmp deny any outside

ciscoasa(config)# end

ciscoasa# sh run

ciscoasa# sh running-config

: Saved

ASA Version 8.2(5)

hostname ciscoasa

enable password .vV.3QsyXqiTEfZu encrypted

passwd PnBz02JMnfQN7Ggt encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.11.5 255.255.255.0

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

banner motd +-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-+

banner motd

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MST recurring

object-group network obj-192.168.1.0

pager lines 30

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 60

dhcpd dns 64.59.135.145

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.103.24.10

webvpn

username mintoo password AILiHuRWFGgkbsI5 encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0123ac8c2120560e08333cb9edbde873

: end

pinging IP in outside world

ciscoasa# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# debug icmp tra

ciscoasa# debug icmp trace

debug icmp trace enabled at level 1

ciscoasa# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

ICMP echo request from 192.168.11.5 to 4.2.2.2 ID=37045 seq=58604 len=72

ICMP echo reply from 4.2.2.2 to 192.168.11.5 ID=37045 seq=58604 len=72