https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907029#M457324 <HTML><HEAD></HEAD><BODY><P>Roman,</P><P>I appreciate the reply but neither of those commands are configured on the ASA and there are no inspect statements allowing icmp and only the implicit deny access rule is configured on the outside interface so I'm still confused as to what is allowing the pings to the outside interface.</P><P></P><P>Jeff</P></BODY></HTML> Thu, 05 Apr 2012 19:50:34 GMT jeff6strings 2012-04-05T19:50:34Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907027#M457322 <P>We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.</P><P>Appreciate any help.</P><P></P><P>Jeff</P> Mon, 11 Mar 2019 22:51:09 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907027#M457322 jeff6strings 2019-03-11T22:51:09Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907028#M457323 <HTML><HEAD></HEAD><BODY><P>icmp permit any outside</P><P>icmp permit any unreachable outside</P><P>icmp permit any echo outside</P><P>icmp permit any echo-reply outside</P><P>icmp permit any time-exceeded outside</P></BODY></HTML> Thu, 05 Apr 2012 19:47:00 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907028#M457323 Roman Rodichev 2012-04-05T19:47:00Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907029#M457324 <HTML><HEAD></HEAD><BODY><P>Roman,</P><P>I appreciate the reply but neither of those commands are configured on the ASA and there are no inspect statements allowing icmp and only the implicit deny access rule is configured on the outside interface so I'm still confused as to what is allowing the pings to the outside interface.</P><P></P><P>Jeff</P></BODY></HTML> Thu, 05 Apr 2012 19:50:34 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907029#M457324 jeff6strings 2012-04-05T19:50:34Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907030#M457325 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I did a test on my home ASA 5505 8.4(3)</P><P></P><P>It seems that if you dont have any "icmp permit/deny" lines configured (ASA default?), the ASA will respond to ICMP from anywhere on the corresponding interface.</P><P></P><P>If you lets say add one line to allow ICMP to the ASA outside interface and you're pinging from some other network thats not mentioned in the rule you just inserted, the ASA wont respond.</P><P></P><P>So it seems to be</P><UL><LI>No "icmp permit/deny" statements = all ICMP allowed</LI><LI>1 or more ICMP statement configured to the interface = only that network/host is allowed to ping interface. Rest are blocked</LI></UL><P></P><P>To be honest I dont know what this is based on but it does seem to work like that after I tried the commands around.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 05 Apr 2012 20:10:01 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907030#M457325 Jouni Forss 2012-04-05T20:10:01Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907031#M457326 <HTML><HEAD></HEAD><BODY><P>Jouni, thanks for the reply as I was under the impression the ASA denies icmp by default unless manually allowed. Either there is something I'm missing or we have bug based on version and/or configuration we have or I'm wrong assuming pings are denied by default.</P><P>Thanks again,</P><P></P><P>Jeff</P></BODY></HTML> Thu, 05 Apr 2012 20:19:22 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907031#M457326 jeff6strings 2012-04-05T20:19:22Z https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907032#M457327 <HTML><HEAD></HEAD><BODY><P>Pings to the interface are permitted by default. Pings through the asa are denied by default.</P><P></P><P>http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic5</P><P></P><P>hth</P><P></P><P>Chad</P><P></P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Fri, 06 Apr 2012 03:38:45 GMT https://community.cisco.com/t5/network-security/ping-allowed-but-not-configured/m-p/1907032#M457327 cpembleton 2012-04-06T03:38:45Z