https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454664#M429699 <HTML><HEAD></HEAD><BODY><P>It's true, now how to remove timeout icmp 0:00:02 ?</P><P></P><P>"no timeout icmp" and "timeout 0:00:00" does not work.</P><P></P><P>Thank you in advance</P></BODY></HTML> Mon, 05 Sep 2005 06:09:28 GMT r.spiandorello 2005-09-05T06:09:28Z https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454660#M429690 <P>Hy,asa 5510 with 7.0.2 version and icmp echo traffic from dmz host to an outside host and echo-reply from the outside host to dmz host.</P><P>If I remove the specific ace of the icmp, the traffic still goes-on even if it remains only the ace "deny ip any any" on the 2 access-lists.</P><P>With show conn I can see the 2 icmp sessions.</P><P>Why ?</P><P></P><P></P> Fri, 21 Feb 2020 08:22:10 GMT https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454660#M429690 r.spiandorello 2020-02-21T08:22:10Z https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454661#M429693 <HTML><HEAD></HEAD><BODY><P>i think the reason is due to the fact that icmp fixup is enabled, allowing echo replies to come back</P><P></P><P></P></BODY></HTML> Fri, 02 Sep 2005 21:22:54 GMT https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454661#M429693 nkhawaja 2005-09-02T21:22:54Z https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454662#M429696 <HTML><HEAD></HEAD><BODY><P>Hy, thank you but it runs even if I remove the access-list element that allows the echo.</P><P>Could it be related to the new icmp timeout parameter ?</P><P>After I have removed the access-list element, if I stop the pc to ping and then I start it again, the new ping is denied.</P><P>It seems like the "icmp session" within the timeout is allowed.</P><P>Greatings</P><P>Renato</P><P></P><P></P></BODY></HTML> Sat, 03 Sep 2005 11:53:48 GMT https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454662#M429696 r.spiandorello 2005-09-03T11:53:48Z https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454663#M429698 <HTML><HEAD></HEAD><BODY><P>so for the existing ICMP sessions, they are letting through, but the new sessions will not be.</P><P>if you remove the ACL, then do a clear xlat, it will brake your contiuous icmp as well</P></BODY></HTML> Sat, 03 Sep 2005 18:02:12 GMT https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454663#M429698 nkhawaja 2005-09-03T18:02:12Z https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454664#M429699 <HTML><HEAD></HEAD><BODY><P>It's true, now how to remove timeout icmp 0:00:02 ?</P><P></P><P>"no timeout icmp" and "timeout 0:00:00" does not work.</P><P></P><P>Thank you in advance</P></BODY></HTML> Mon, 05 Sep 2005 06:09:28 GMT https://community.cisco.com/t5/network-security/asa-7-0-2-and-access-list-element-removing-not-working/m-p/454664#M429699 r.spiandorello 2005-09-05T06:09:28Z