https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934924#M436098 <HTML><HEAD></HEAD><BODY><P>Not sure where to provide the feedback. I dont see anything on the bottom of this thread's page that says 'feedback'. Do I mark your answer as 'Correct' and then get an option to provide feedback?</P><P></P><P>btw - thank you Julio for your replies as well.</P></BODY></HTML> Wed, 23 May 2012 17:15:58 GMT Private Private 2012-05-23T17:15:58Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934917#M436087 <P>All of the documentation I have found says that to allow a particular remote host (a.b.c.d) to ping the outside interface of an ASA, the ICMP command to implement is:</P><P></P><P>icmp permit host a.b.c.d echo-reply outside</P><P></P><P>Why is the icmp type/keyword in the command 'echo-reply' and not 'echo', if the goal here is to allow a.b.c.d to ping (icmp echo request, type 8, code 0) the outside interface? The example in the ASA 8.2 command reference provides the same style example in that it says:</P><P></P><P>"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16&nbsp; to ping the outside interface:</P><P>icmp permit host 172.16.2.15 echo-reply outside</P><P>icmp permit 172.22.1.0 255.255.0.0 echo-reply outside</P><P>icmp permit any unreachable outside"</P><P></P><P>Why isnt it the case that in the above example, what is actually being allowed (permitted) are ICMP echo-replies (icmp type 0, code 0) (and not ping requests) FROM the listed addresses to the outside interface?</P> Mon, 11 Mar 2019 23:10:36 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934917#M436087 Private Private 2019-03-11T23:10:36Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934918#M436088 <HTML><HEAD></HEAD><BODY><P>Hello Private,</P><P></P><P>I would do it with an access-list instead of using the ICMP configuration..</P><P>Have you test it with just the echo?</P><P>I would say you need both of them,</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Wed, 23 May 2012 16:42:01 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934918#M436088 Julio Carvajal 2012-05-23T16:42:01Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934919#M436090 <HTML><HEAD></HEAD><BODY><P>My question is part of a review I am doing, (I dont have access to the device).&nbsp; My understanding though has always been that one uses ACLS (and ICMP in them) as a means for controlling pinging 'through' the ASA and that one should use the specific ICMP commands for controlling ICMP to the firewall interfaces.</P></BODY></HTML> Wed, 23 May 2012 16:50:29 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934919#M436090 Private Private 2012-05-23T16:50:29Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934920#M436091 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It should be just echo, even that would allow the ping.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 23 May 2012 16:53:11 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934920#M436091 varrao 2012-05-23T16:53:11Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934921#M436092 <HTML><HEAD></HEAD><BODY><P>Hello Private,</P><P></P><P>With the ACL you are going to be fine, that is all you need ( on the ACL will be only echo)</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Wed, 23 May 2012 16:59:58 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934921#M436092 Julio Carvajal 2012-05-23T16:59:58Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934922#M436094 <HTML><HEAD></HEAD><BODY><P>Varun - Thank you for your reply. Does that mean that the example given in the documentation is incorrect? That is, the example given:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;">"The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16&nbsp; to ping the outside interface:</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;">icmp permit host 172.16.2.15 echo-reply outside</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;">icmp permit 172.22.1.0 255.255.0.0 echo-reply outside</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;">icmp permit any unreachable outside"</P><P></P><P></P><P>Does not actually permit the given hosts to ping the outside interface, but rather, it only allows the ASA to receive ICMP echo reply messages from the hosts listed?</P></BODY></HTML> Wed, 23 May 2012 17:00:12 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934922#M436094 Private Private 2012-05-23T17:00:12Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934923#M436096 <HTML><HEAD></HEAD><BODY><P>Good Point!!!</P><P></P><P>I might not be able to answer it, but I tested it and it only works with echo, I might need to get in touch with our documentation team on it, since they can only verify it. But it should be echo. Maybe I am also doing something wrong but we can verify it ourselves, if you scroll to the bottom, you can provide us the feedback about the doc and this way it would be routed to the correct team, lets wait for their answer <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 23 May 2012 17:10:51 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934923#M436096 varrao 2012-05-23T17:10:51Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934924#M436098 <HTML><HEAD></HEAD><BODY><P>Not sure where to provide the feedback. I dont see anything on the bottom of this thread's page that says 'feedback'. Do I mark your answer as 'Correct' and then get an option to provide feedback?</P><P></P><P>btw - thank you Julio for your replies as well.</P></BODY></HTML> Wed, 23 May 2012 17:15:58 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934924#M436098 Private Private 2012-05-23T17:15:58Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934925#M436100 <HTML><HEAD></HEAD><BODY><P>Nope I was talking about the command reference doc:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728">http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i1.html#wp1717728</A></P><P></P><P>You will see the feedback option at the bottom.</P><P></P><P>You can also mark this thread as answered if it helped you.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 23 May 2012 17:19:45 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934925#M436100 varrao 2012-05-23T17:19:45Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934926#M436101 <HTML><HEAD></HEAD><BODY><P>Thanks. I will go there. Just as an fyi, although I have seen this exact example used in many versions of the documentation, the exact documentation I am looking at is the version 8.2 command reference.</P></BODY></HTML> Wed, 23 May 2012 17:22:13 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934926#M436101 Private Private 2012-05-23T17:22:13Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934927#M436103 <HTML><HEAD></HEAD><BODY><UL><LI>Yup, I was checking the other latest versions as well whether its the same, and it is, so you cna provide your feedback on any one of them, since it commands have not changed.</LI></UL><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 23 May 2012 17:24:50 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934927#M436103 varrao 2012-05-23T17:24:50Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934928#M436105 <HTML><HEAD></HEAD><BODY><P>Thanks.&nbsp; Feedback submitted</P></BODY></HTML> Wed, 23 May 2012 17:30:03 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934928#M436105 Private Private 2012-05-23T17:30:03Z https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934929#M436107 <HTML><HEAD></HEAD><BODY><P>Sure, let us know, when you get the reply, take care <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Wed, 23 May 2012 17:33:44 GMT https://community.cisco.com/t5/network-security/quick-question-re-asa-and-icmp-command/m-p/1934929#M436107 varrao 2012-05-23T17:33:44Z