https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654363#M580792 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, you are correct.</P><P></P><P>-Mike</P></BODY></HTML> Tue, 01 Mar 2011 20:37:14 GMT mirober2 2011-03-01T20:37:14Z https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654360#M580789 <P>Hello Dears,</P><P></P><P>I have permited only port 80 and 443 for our web server in DMZ. My question is after permiting port 80 and 443 everything is denied correct me if i m wrong.???</P><P></P><P>I m able to ping my public IP address of my outside interface of ASA from internet, why????</P><P></P><P>when i do icmp deny any outside&nbsp; then it stops pinging but it stops pinging the directly connected interface of Internet router also that is used sometime for troubleshooting.</P><P></P><P>My concern is when i have denied everything from outside access-list&nbsp; except&nbsp; 80 and 443 then why icmp&nbsp; reply are seen to host on internet.</P> Mon, 11 Mar 2019 19:59:15 GMT https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654360#M580789 estelamathew 2019-03-11T19:59:15Z https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654361#M580790 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The difference is in the way the ASA processes to-the-box vs. through-the-box traffic. You are correct that the 'access-list' command includes an implicit deny at the end of it, so all traffic not explicitly permitted will be blocked. However, the access-list only applies to through-the-box traffic. Nothing that you configure in an interface ACL will affect ICMP traffic destined directly to the the ASA.</P><P></P><P>The 'icmp permit' command is how you create access rules for to-the-box traffic.</P><P></P><P>In other words, use 'access-list' to restrict traffic between 2 hosts on either side of the firewall. Use 'icmp' (or 'ssh', 'telnet', or 'http') to restrict traffic sent to the firewall itself.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Tue, 01 Mar 2011 20:06:12 GMT https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654361#M580790 mirober2 2011-03-01T20:06:12Z https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654362#M580791 <HTML><HEAD></HEAD><BODY><P>Hello ,</P><P></P><P>From ur mail what i understand is</P><P></P><P>Access-list is for the traffic which passess through the firewall.</P><P></P><P>And to block icmp,telnet ssh to the firewall itself we should these commnds telnet,ssh,icmp.</P><P></P><P>so my firewall outside interface which is pinging is correct it should ping until and unless i put a command icmpdeny any outside.</P><P></P><P>Please reply.</P><P></P><P>Thanks </P></BODY></HTML> Tue, 01 Mar 2011 20:35:47 GMT https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654362#M580791 estelamathew 2011-03-01T20:35:47Z https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654363#M580792 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, you are correct.</P><P></P><P>-Mike</P></BODY></HTML> Tue, 01 Mar 2011 20:37:14 GMT https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654363#M580792 mirober2 2011-03-01T20:37:14Z https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654364#M580793 <HTML><HEAD></HEAD><BODY><P>Hello Mike,</P><P></P><P>Thanks a tons,</P><P></P><P>I wanted to confirm the above mail points before posting the below statements.</P><P></P><P>I have a ISA server with 2 NIC 1 is outside and 1 is connected to core switch</P><P></P><P>ISA is statically natted with public IP for carrying users traffic to browse the internet.</P><P></P><P></P><P>Very Very strange issue when i put icmp deny any outside command on firewall, users are not able to browse the internet&nbsp; why???????</P><P></P><P>Thanks</P></BODY></HTML> Tue, 01 Mar 2011 20:49:48 GMT https://community.cisco.com/t5/network-security/icmp-outside/m-p/1654364#M580793 estelamathew 2011-03-01T20:49:48Z